> Does tying those keys to your MS account fix that failure method?
Yes. Bitlocker recovery keys are escrowed to the Microsoft account. I've relied on this recover data from a family member's PC when it failed and they had unknowingly opted-in to Bitlocker (a Microsoft Surface Laptop running Windows 10 S Mode).
>As opposed to just not encrypting their data at all and letting everyone who ends up with the drive have their data.
You are presenting a false dilemma where either Bitlocker is in use or the drive is entirely unencrypted; there are other ways to ensure data integrity in the face of physical compromise.
1. It's not a false dilemma, it's more of a question of how to handle the "average Joe" user that doesn't know how to store encryption keys. I don't like how this automatic encryption is implemented, by the way, but sending the keys to MS servers is not the worst idea ever.
2. Bitlocker can totally be used without a MS account and without sending keys anywhere and without TPM... But seeing how most people fail to RTFM we're back to point 1.
I mention that only because it's one avenue. I figured obviously on a place like Hacker News that malicious agents aside from government could also compromise the security of 3rd party-held keys; as always security is a matter of difficult tradeoffs and anticipated threat categories.
I do work for a County who uses Tyler's Munis product.
The product is a disparate hodge-podge of technologies. It's mostly written in an oddball application hosting framework called "Genero" from a company called "4Js". There are some off-the-shelf bits and pieces (various Apache-licensed libraries, Tomcat) for report generation. The data is hosted in Microsoft SQL Server.
The support teams are very focused on their silos and know nothing outside them. If you have an issue cross-cutting different parts of the product you'll have a terrible time with support. There's a lot of speculation on the part of the support team re: the causes of issues, and it appears that the support people have very little access to developers and no access to code.
The last major version upgrade had a >1 year timeline after it slipped repeatedly. Tyler seemed very under-staffed, which I felt like was margin-driven rather than because they couldn't find people. (Example: Half way thru the implementation key people changed positions in the company and new staff picked-up the project. It was clearly the first rodeo for some of the new people.)
It's not garbage software but it's not particularly good either. It's a lowest-common denominator kind of schlock that keeps Customers just happy enough not to look elsewhere. In terms of other vendors I've dealt with for the County it's by no means the worst. It's definitely not the worst technology stack (ask me about public safety software written in a mix of C from the early 90s, Perl from the late 90s, Win32 C from the early 2000's, Java from 2010's, and now C#-- all using a flat-file ISAM database for persistence that originated in the 1980s).
I have no feelings one way or the other about Fastmail, but since the offer TOTP as an option why not just archive the TOTP secret somewhere safe and offline? Put it with important papers that you'd store in a safe deposit box, with a trusted family member, etc.
For anyone who doesn't know, though, SCOTUS ruled against Aereo, who subsequently closed-up shop, filed for Chapter 11, and eventually were sold to DirectTV.
You can't "clever" around the intent of the law (or around a well-funded lobby). An O'Connor v. Oakhurst Dairy[0] are the exception, not the rule.
(Aside: This is nothing at all like O'Connor v. Oakhurst Dairy-- I just can't resist the urge to cite it. It's too fun.)
The trouble is that this all builds from case law established before people could use magic vision portals to exploit efficiencies of scale and centralization.
That's not even addressing the magic of infinite copying-- lets suppose we all agree publishers deserve secondary markets be restricted to physical copies. Then the digital age gives us literal magic portals but the benefits are withheld from society because... they want their money. There were laws protecting that money before so the intent of the law is to protect the money in the new age too. For shame.
> Then the digital age gives us literal magic portals but the benefits are withheld from society because... they want their money.
I'm so jaded about this now that I just assume things won't change until most of the people born before computers were "mainstream" die. Even then it'll probably take another generation or two for the cultural indoctrination associated with "intellectual property" to die out.
And no change will happen if general purpose computers (and the freedom they offer) are effectively removed from daily life. It seems to be going that way via normalization of walled gardens in the name of "security" and the infuriating argument that the computers everybody carries around (smartphones) somehow aren't actually computers and shouldn't allow for end user freedom.
I always pushed back hard on vendors who wanted me to disable SELinux on my RHEL boxes. It's unacceptable to disable default OS security protections to make an application function. It's no different than demanding an app run as root.
Indeed, disabling SELinux is like following instructions for PHP applications and running "chmod -R 777 /var/www".
I used to work at a payment provider and we had to deal with lots of monitoring and security stuff. Some of it was (obviously) busywork and needless checkbox filing, but other parts were genuinely useful. Setting up systems was tedious and difficult, but ultimately worthwhile and necessary.
I've never worked for a business paying MSFT millions so I can't comment on that. As a business paying several hundred thousand I had no success getting any help with an issue with Windows Server (July 2021). My organization was willing to spend money but couldn't get anyone at MSFT to take it.
Per Wikipedia the RAMAC 305 stored 5 million 8-bit characters[0]. Assuming they're using all 100 surfaces of the 50 disks in the unit that only comes out to 400,000 bits per surface. At the size of those platters the magnetic domains that encoded the bits must have been positively huge. There are products that could be used to visualize magnetic domains on tape[1]. The RAMAC platters seem like they'd be large enough that you could read them optically with one of these visualization tools.
The thing you'll see if you read the oral history, was they could have made it bigger, but 5MB was so much storage then, they were unsure how to sell a bigger one.
Yes. Bitlocker recovery keys are escrowed to the Microsoft account. I've relied on this recover data from a family member's PC when it failed and they had unknowingly opted-in to Bitlocker (a Microsoft Surface Laptop running Windows 10 S Mode).
reply