[bigyabai]

This doesn't make much sense. Almost every single organization using Bitlocker knows that it's backdoored. It's like Push Notifications or SMS, warrantless surveillance is the norm and you don't get to opt-out. Nobody's IT department is waking up in cold sweats at the idea of the Fed stealing their data, it's part and parcel with using Windows services.

If you really think this will be prosecuted as fraud, then you'll be shocked by how American courts handle these sorts of things.

[motohagiography]

if you have ever dealt with a regulated institution, they have an obligation to publicly report lost and stolen devices that contain PII/PHI as a breach, and the people whose data was on the device must be notified. It's a huge deal that has board level involvement when it occurs.

The ONLY control that mitigates this risk is disk encryption, and it is perniciously misleading to ship a sabotaged product on which these legally consequential decisions get made around the world- based on the specific assurance the product is designed and marketed to provide.

If true, it is a specific outrage against the laws of several countries, medical and other research ethics, public health, and the social contracts people have with their institutions. If MS is given impunity for this, a lot of regulation is not worth the paper it is written on.

before arguing further, I recommend looking at the breach notification sections of the laws in these major economies: https://www.dlapiperdataprotection.com/

[bigyabai]

I commented because I've worked with regulated institutions where FDE was standard across the org. Bitlocker was laughed at whenever you mentioned it by name, there was not a single engineer I met that took it seriously (even the Windows daily drivers). Microsoft Windows is consistently identified as the weakest link for securing sensitive data, one job even had a no-fly policy for Windows laptops in case they were misplaced in luggage.

So remind me how Microsoft was reprimanded for merging Dual_EC_DRBG support into Windows Vista? Or how they were punished for turning over Bitlocker keys to US law enforcement? It never happens. The regulation isn't worth the paper it's written on, and it hasn't been for well over a decade now: https://en.wikipedia.org/wiki/NOBUS

[motohagiography]

we all know there are limits and vulnerabilities to manage in products. however, this backdoor appears to be a misrepresentation of the core function of the product. if you deployed something you believed to be a joke, you may be the sucker at that table, as thats culpable.

maybe the license language means they make no reps about security, but if this is as described they have compromised the compliance of their customer base.