Microsoft Expertly Demonstrates Why Encryption Backdoors Are Terrible Ideas

1 minute read
| Editorial

Microsoft did long term privacy advocates a huge favor, even while it screwed over untold millions of customers. The company expertly demonstrated the foolhardy nature of backdoors even existing by accidentally leaking a so-called “golden key.” That key will allow anyone to bypass Microsoft’s Secure Boot protections, rendering them moot.

Golden Key Website

Golden Key Website

A “secure golden key” is precisely what the FBI is demanding Apple and other companies provide. The agency wants to be able to access encrypted systems—which are increasingly common place—in the pursuit of its law enforcement duties.

In addition to trying to get U.S. courts to force Apple to create software that bypasses its encryption, the FBI has argued companies like Apple could create a backdoor that only they have access to. This, we are assured, would be an excellent compromise that protects privacy and facilitates legitimate law enforcement needs.


The argument by encryption experts is that a backdoor available to one is available to all. Backdoors provide a target for authoritarian regimes and other foreign governments, as well as terrorists and other criminal organizations. Worse—and this argument has been understood for decades—even if a backdoor isn’t compromised, its legitimate owners can mishandle it, misuse it, or let it out.

Microsoft apparently decided it would play the patsy and demonstrate exactly that. Everyone who doesn’t own a Windows device “protected” by Secure Boot should thank the company. Everyone who does should get rid of it and buy something from Apple.

For technical details on the key and how it works, check out Ars Technica‘s excellent writeup. The keys were originally uncovered in March and published this week to what Ars called “a funky website.”

4 Comments Add a comment

  1. Paul Goodwin

    Nobody was ever supposed to be able to get my cell phone number. If there’s an opening, someone will get in

  2. wab95


    This is huge. I’m disappointed but not surprised that this story has not gained more traction in mainstream media (that I’ve seen, at any rate), and attribute this to a combination of tech pundits not appreciating its gravity, and the unprecedentedly noisy distraction of the US campaign season commingled with the Olympics. Easy for a tech story like this, despite its glaring relevance to recent headline events, to be drowned out in this cacophony.

    Two things should happen at MS.

    First, they should sack whomever it was who suggested they make this golden key in the first place.

    Second, they should then sack the poor sod who released it into the wild.

    If these are the same person, then they should either black list him in perpetuity or recommend him highly to a competitor, depending on how Machiavellian they wish to be.

    While I remain impressed overall with the job that Nadella is doing at MS, this is a morality tale of Homeric proportions. I only hope that sagacious heads in security agencies worldwide comprehend the lessons of this Odyssey.

    If nothing else, MS have given Apple and the tech community live ammunition in their fight against this folly.

  3. pricemi115

    Hey Bryan:

    Just getting back from vacation and catching up on all my podcasts.
    I was listening to TMO Daily Observations 2016-08-11 and windering if/when
    you will post a retraction/clarification to this. As I understand it, this was
    a very mis-reported issue and there was no key leaked/released…..actually there
    is no key at all.

    The issue is that in a recent version of Win10, the secure boot mechanism was enhanced,
    mostly if not exclusively, for developers to test new components to be eventually
    incorporated into the secure boot system. Unfortunately, however, due to the nature of
    secure boot, the enhancement was unknown to the older version and the team reporting the
    vulnerability found a way to sneak new (unverified) components past the secure boot

    Steve Gibson, @GRC, has a very detailed explanation of this issue in Security Now
    episode #573. The link to the show notes is below and the discussion of this issue
    starts on page #4.

Add a Comment

Log in to comment (TMO, Twitter, Facebook) or Register for a TMO Account