|
|
|
|
|
|
by motohagiography
25 days ago
|
|
|
if you have ever dealt with a regulated institution, they have an obligation to publicly report lost and stolen devices that contain PII/PHI as a breach, and the people whose data was on the device must be notified. It's a huge deal that has board level involvement when it occurs. The ONLY control that mitigates this risk is disk encryption, and it is perniciously misleading to ship a sabotaged product on which these legally consequential decisions get made around the world- based on the specific assurance the product is designed and marketed to provide. If true, it is a specific outrage against the laws of several countries, medical and other research ethics, public health, and the social contracts people have with their institutions. If MS is given impunity for this, a lot of regulation is not worth the paper it is written on. before arguing further, I recommend looking at the breach notification sections of the laws in these major economies: https://www.dlapiperdataprotection.com/ |
|
|
So remind me how Microsoft was reprimanded for merging Dual_EC_DRBG support into Windows Vista? Or how they were punished for turning over Bitlocker keys to US law enforcement? It never happens. The regulation isn't worth the paper it's written on, and it hasn't been for well over a decade now: https://en.wikipedia.org/wiki/NOBUS