Bitlocker and the FBI

[Colonel Travis]

Went to the New Efficiency thing today and one of the MS presenters said that the FBI asked MS if there would be a backdoor for Bitlocker. MS said no. According to the MS guy, the FBI then said to MS: you can't include it on 7 consumer versions. Maybe this been discussed here or elsewhere, but that was the first I'd heard the reason why Bitlocker is not on Home or Professional.

In another lifetime I worked for a member of Congress, and one of his big issues was encryption. Congress passed an encryption bill 10-12 years ago? Can't remember, by then I had long left my Congressional job, and I never bothered to read much about what that bill was about. But before it was passed, I do remember the fights between the government and private industry about who should be allowed to use powerful encryption.

My guess is that since the passage of that bill, MS and every other software manufacturer in the U.S. that deals with encryption has to let the Feds know ahead of time what they're working on? Just a guess. I can't imagine it would be the other way around - FBI gets word of something and goes and knocks on Bill Gates's door or whatnot. Then again, having worked in the gigantic pile of crap that is the United States Federal Bureaucracy, I wouldn't be surprised by any federal agency doing anything to anyone about anything at any time.

The only reason I went to the New Efficiency thing was for the free 7. I don't own a business, I command no employees, the closest thing to IT I've ever been in is helping relatives untangle whatever rudimentary e-mess they've got themselves into on their home PC. Not a big fan of the diminutive, gilt-edged crowd being the only ones who get to use the fancy stuff in the world, like fancy encryption. So the fact that I walked out with a copy of Ultimate, which has Bitlocker, which will only be used at home for nothing but my own pleasure, I must say I felt like a real bleeping bad-***.

 

[logicearth]

I do not know if the particular story is correct, but it is true there is a lot of legal mumble-jumbo involving Cryptography. Cryptography - Wikipedia, the free encyclopedia

 

[harpua]

There is other free open source encryption software that is arguably more powerful and less likely to have any back doors than Bitlocker. For example, check out TrueCrypt.

As far as I know, most of the legal rules about encryption software concern rules regarding the export of the technology.

 

[logicearth]

less likely to have any back doors...

None would have backdoors. That would just be silly from a security standpoint.

 

[PGPfan]

As you might be able to guess, my forum name is derived from Pretty Good Privacy, which most consider the finest encryption software available (at least in the last 15 years or so). The creator (Phil Zimmerman) was targetted by the government in approx. 1993, for prosecution for 'illegally distributing munitions' - the government (at least then) considered data encryption software legally a munition! - and since he freely gave it away, he was assumed to be distributing it. Problem was, there was no 'back door' and so the government wasn't very happy as it was so good, they didn't have a way to break it.

The thing that was really stupid is that it was 'legal' to print the source code in a book (which was done) and sell that book anywhere, but you couldn't make the compiled software available! Eventually, they dropped charges as they couldn't prove that 'he' specifically sent the software out of the US.

A true story, but just goes to show you how paranoid the government can be when they fear being 'left out' of a conversation.

-PGPfan

 

[Colonel Travis]

Indeed, PGPfan.

Yeah, harpua, you're right about the export of encryption. I looked up the bill, which didn't have anything to do with MS's Bitlocker situation. Most gov't computers run Windows, the feds are well aware what comes out of Redmond.

 

[goyta]

The reason why I chose to have Windows 7 Home Premium is that Professional and Ultimate only have additional features that I either don't need or can get by other means, and they cost MUCH more - really expensive here in Brazil, where I live and where Microsoft isn't selling upgrade licenses, family packs, student licenses or even Windows Anytime Upgrade. You can only buy the retail box with a full license (OEM is available, too, but since I intend to replace my old computer soon, I didn't want an "unmoveable" license).

Those features include XP Mode, which I wouldn't be able to use anyway with my old processor but can get (and have got) probably with better performance using free VMware Player, and BitLocker, which I don't need because I don't have a laptop (and my old motherboard doesn't have a TPM chip either). BitLocker to Go might be interesting for my external HDDs, but I have no industrial or military secrets to protect, and my only concern would be barely literate petty street thieves who would sell the devices cheap for drugs. BitLocker may have stronger encryption because it's hardware-based, but TrueCrypt is more than enough. Besides, no one will be able to convince me that TPM doesn't have any backdoor, no matter how much they swear it. TrueCrypt is open source and easily scrutinized - if it had a backdoor, we would know.

I have PGP too, and find its history very interesting, especially the occasion when its source code was printed in a special OCR-optimized font and the printed sheets were legally sent to Norway, where they were scanned with a state-of-the-art ultrafast scanner, OCR'ed, and the resulting code was compiled and distributed worldwide as PGPi (for "international"), in a 100% legal operation, making the U.S. agencies look like complete fools. As far as I know, ITAR export restrictions have since been lifted, except to countries like Cuba, Libya, Syria and the like, but Castro, Qaddafi and Assad can easily get it in the market anyway. Besides, not only the U.S. makes strong encryption software. Switzerland and Israel, for example, are very good at it and have no export restrictions.

But I haven't been able to use PGP messaging much because too few people I know have PGP keys. Now it has become commercial and closed-source, and the other features, such as PGPdisk, are paid and I can get equivalent features with free software such as TrueCrypt. Besides, PGP has a weak link: the user, who must understand exactly how it works, concepts such as web of trust, safe keeping of keyrings, man-in-the-middle attacks and so on. PGP is too technical for most people and this prevents a wider adoption, despite its excellent quality in all respects. S/MIME is now preferred because it works with standard and notarized digital certificates.

There are countries where personal cryptography is illegal, and they include not only notorious dictatorships such as China, but also a few otherwise democratic countries such as France. But in practice, they can't control it. And that's the beauty of it.