Another Bone to Pick with Microsoft

Back in August Microsoft deployed their Anniversary Update for Windows 10.  I learned my lesson on early adopting anything coming out of Redmund, so I have my Professional copies set to defer feature updates.  I do not intend to take on those updates unless I absolutely have to.  Well, yesterday Microsoft forced my hand and jammed the Anniversary Update down my throat, like it or not.  I did everything I could to stop it, even editing the registry to make my ethernet connection register as a metered service.  It still downloaded it.  I unplugged the cable from the back of the machine which stopped the download midstream and frantically Googled for a way to stop it.  Not finding one, I phoned Microsoft for a solution.  The tech I finally spoke to told me there were two solutions they could offer.  1) Let the update finish and then use the recovery option to go back to an earlier build.  2) Stop all updates completely.  So, I had to choose between a bad option and a bad option.

I understand that security updates are important, so I went with bad option number one.  Now I get to the bone I am picking.  I have my computer encrypted with Bitlocker, and other stuff.  In process of installing this rather large update, Windows required a few reboots.  During the first reboot, I unlocked my encrypted thumb drive that contains the key file required for my computer to boot, and I prepared to enter the password also required to boot, and watched in amazement as it simply continued on with the install without any input from me.

Let’s put this into perspective.  I have configured Bitlocker to require a key stored on a TPM chip installed on the motherboard, a key file stored on the above-mentioned hardware encrypted thumb drive, and a twenty character alpha-numeric pin (the maximum length Bitlocker supports).  My computer, while installing the update, rebooted.  The screen showed the video card post screen, the raid post screen, and the motherboard post screen that handed the process over to the Windows boot loader.  At that point, with only the TPM portion of the process fulfilled, the Windows Update process continued to write to an encrypted file system.  How?

I presume that the RAM was cleared, so the encryption key shouldn’t have been stored there.  The file system is encrypted, so it could not have been stored there as the update process would not have the key to read the key.  So the only place left is the unencrypted boot sectors of the system drive.  That is a massive security hole that completely destroys the point of encryption.  If the key was written to an unencrypted portion of the system drive, that key is now recoverable by a hacker or other threat to my digital security.

The other possible explanation, Windows temporarily disabled Bitlocker for the duration of the update process.  This is an equally bad situation.  It took hours to fully encrypt the 930GB of usable space on my system drive, despite that fact that it’s four striped SSD’s.  How then, can the update process, in a matter of minutes, circumvent that encryption?

This whole post boils down to one thing.  What little faith I had in Bitlocker is gone.  At great expense and with much effort, I have switched to other solutions.  Thank you, Microsoft for costing my hundreds of dollars and many hours to fix your gaping security holes.

Bitlocker is Awesome, and Sucks

I have been using Bitlocker for a little while now.  On the whole, it seems to do its job well enough.  I mean, it encrypts data to keep unauthorized people from accessing it.  That is its job, and that’s what it does.

The setup process is a bit difficult, if you don’t want the default settings.  By default it uses 128 bit AES encryption.  I prefer 256 bit, though it is arguable that it is overkill in today’s world.  However, the U.S. government requires 128 bit encryption or better for anything classified Secret, and 256 bit encryption for anything classified Top Secret.  They see a benefit in the added level of security that 256 bit encryption offers.  Since there is no difference in cost between the two, other than changing some settings, I figured I would go for the better encryption.  That part is trivial compared to getting my other requirement working properly.  I wanted my computer to make proper use of the TPM module, and load an encryption key from my hardware encrypted thumb drive, and require a lengthy completely random alpha numeric password to boot.  It’s easy to get bitlocker to use any one of those unlocking methods, and maybe even any two of the three, but getting all three simultaneously was quite difficult.  Boo.

I jumped through all of the required hoops to get bitlocker working just like I wanted, and it is working beautifully.  I now have full disk encryption on all of the hard drives in my computer.  Awesome, right?  Well, not completely.  I enabled encryption on my Western Digital MyBook 6TB drive.  All was going fine until an error at roughly 74.6%.  It rendered the entire volume unreadable.  I attempted to run a bitlocker recovery on it.  It kept telling me it required another volume of equal or greater size to the one being recovered.  I had to go buy another 6TB drive to attempt to recover the broken one.  The recovery ran for over 24 hours, and recovered exactly nothing.  So, I lost my entire 4.5TB media library.  Double Boo!

On the bright side, I now have two bright and shiny, squeaky clean, blank, 6TB hard drives.

My Windows 10 Saga

I decided to be an early adopter on Windows 10.  It hasn’t been without its pitfalls.  Although, some of the issues I’ve had were totally my fault.  As fun as it is to blame all the problems of the world on Microsoft, I have to own the ones I caused.  So anyway, here goes.

I was excited about the release of Windows 10, so the morning of July 29th I got up early to make sure I could get the download started before I went to work.  I was greeted by a message saying they would be releasing it in waves, and I would be notified when my computer was ready.  I waited, however impatiently.  Two days later I came to the realization that I might have to wait several more, so I started Googling how to get Windows 10 faster.  I discovered a nifty tool that allowed me to create bootable thumb drives and effectively skip the line.  I was thrilled.  Half an hour later I had two bootable Windows 10 install drives, one for the Home version and one for the Pro.  I was ready to rock and roll.

The morning of Friday, July 30th I plugged in one of the thumb drives and upgraded Windows 7 Ultimate to Windows 10 Pro.  I had to upgrade the OS this way so that Microsoft would issue me a Windows 10 Pro product key.  I much prefer to format the drive and install fresh, but since they were offering me a free OS, I’ll play along.

Friday afternoon when I got home from work, I found a tool that let me see the Windows 10 product key and write it down.  Now, with the product key in hand, I plugged in the thumb drive again and performed the fresh install, completely erasing any vestiges of Windows 7 from my machine.  Considering how little I used Windows 10 prior to the format, I cannot speak to the differences in responsiveness.  Either way, I do like the OS.  So far it’s easy enough to use.

Here’s where the issues come into play.  First, you need to understand that I’m a bit paranoid.  I use far too much encryption for anybody not in the Department of Defense.  When I set up my security, my adversary I had in mind was the NSA.  I figure, if I can keep them out, some shady hackers are not getting in either.  I have discovered that using the encryption I have in place is inconvenient.  Everything takes more time.  I can’t just press the power button and walk away.  I must first unlock my Aegis Secure Key and plug it in to provide Bitlocker with an encryption key.  Then, just after the bios clears I have to enter a 20 character password to unlock VeraCrypt.  It takes roughly 20 seconds to verify that it is the correct password before the computer then retrieves the key from the thumb drive to unlock Bitlocker.  Call it a poor man’s two-factor authentication.

Well, my secondary hard drive is also Bitlocker encrypted.  I backed up everything to it that I wanted to save before I formatted the system drive.  I even unplugged the secondary drive for good measure, just to make sure it didn’t get formatted as well.  After the system was all up and running again, I plugged it back in and attempted to access it.  Bitlocker asked for my recovery key.  I unlocked and plugged in my Secure Key, and it promptly informed me no compatible recovery key was found.  Talk about a sinking feeling.  I tried over, and over, and over to no avail.  I them opened each of the recovery key on the Secure Key and manually entered the 28 digit pin.  None of them worked.  Long story short, the data on that hard drive, though it is still technically there, is effectively lost forever.  Like I said at the beginning, it was totally my fault.

I gave up on that and went ahead and setup my encryption again.  I installed VeraCrypt and encrypted the system drive.  With that done I enabled Bitlocker and had it encrypt the drive as well.  I was very careful to save the recovery keys.  However, even still, I could not get my computer to boot this morning.  It recognized the recovery keys, but would not boot.  My VeraCrypt password was accepted, but it would not boot.  So, after church this afternoon, I had to format again.  If you count the laptop sitting to my left that I just installed Windows 10 on for a friend, I have in two days installed Windows 10 four times.  The joke back in the day was that I had formatted and installed Windows XP so many times that I could do it blindfolded.  It looks as though I am well on my way to accomplishing that proficiency with the latest Microsoft OS.

I am typing this on my computer, freshly installed in Windows 10.  I still like the OS, even though it does not like me.  It is definitely far superior to the debacle that was Windows 8 (or 8.1), neither of which I ever used.  I refused, just like I have never used Vista.

After much research and hair pulling I have discovered a method to make sure my computer does not go F.U.B.A.R. again.  I found a tutorial that explained how to get Bitlocker to require a TPM module, startup key (thumb drive), and a password to boot Windows.  While I was at it I found the setting that forces Bitlocker to use 256bit AES encryption instead of the default 128bits.  That way it will take the NSA an extra trillion or so years to unlock my data, at today’s computational capabilities.  Anyway, wity only one encryption system on the OS drive, I should not have to worry about conflicts making the PC unbootable again.

In conclusion, even though the transition has been rocky, I do like Windows 10.  Most of my problems were self inflicted, so like I said before I can hardly blame our favorite punching dummy Microsoft, as much as I would like to.  I have never had an OS that is easier to find drivers for.  It takes a bit longer to install time wise, but it’s easier effort wise.  I encourage people to make the jump.  It is totally worth it.