paint-brush
Your Computers Are Not Really Yours - Part 1: BitLocker Is Kinda Ransomwareby@utsavjaiswal
6,002 reads
6,002 reads

Your Computers Are Not Really Yours - Part 1: BitLocker Is Kinda Ransomware

by Utsav JaiswalSeptember 13th, 2022
Read on Terminal Reader
Read this story w/o Javascript

Too Long; Didn't Read

Simply updating your PC via Windows Update can Lock you out of your system for up to 30 days - if not permanently!!

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - Your Computers Are Not Really Yours - Part 1: BitLocker Is Kinda Ransomware
Utsav Jaiswal HackerNoon profile picture

I was oblivious to most of these blatant anti-consumeristic practices by major tech companies primarily due to having an old-timey mobile phone and a battered laptop, but these last couple of months had me facing the full might of the massive abominations computers have become over the last two decades


It’s for your security, they say!


Authoritarianism on the pretext of security is still oppression, some would retort.

Bitlocker - Microsoft’s Ransomware

Remember those news stories about viruses/worms that could lock your PC and ask for cryptocurrency payments as ransom to unlock your devices?

Source: https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

As I learned about a month ago -

Even if you’re a prudent user and avoid ‘the activities that make you vulnerable to these attacks, you’re still not safe.

Simply updating your PC via Windows Update can Lock you out of your system for up to 30 days - if not permanently!!


Here’s how it happened to me -

  • For some reason, I was using my wife’s computer and instinctively hit the ‘Update Now’ button on Windows Update when the notification popped up


  • My wife gives me an earful for making her system unusable for like 30 mins but I stay cocky


  • Her system restarts and presents us with this message:


Source: https://specopssoft.com/blog/what-causes-bitlocker-recovery-mode

I stayed cocky for another 30 or so minutes before having my ego deflated like a party balloon poked with a sharp needle.


Apparently, the Bitlocker key is 48 characters long and you need to write it down when installing windows.

What is BitLocker?

Bitlocker is Microsoft’s proprietary drive encryption technology to protect your hard drives from cybersecurity threats. If it detects unauthorized accesses or major changes to the hardware/software, it will lock up the drive and percent access to Windows until you key in the 48-digit BitLocker recovery key.


This is good in theory but bad in implementation


Why is Microsoft’s BitLocker Implementation Bad for Retail/Casual Users?

So, when you install a fresh copy of Windows 10 or Windows 11, BitLocker is activated by default. Most retail computers today come with Windows pre-installed so turning it off during installation is kinda out of the picture.


You can turn it off by following the steps here from Stanford.


I'm going out on a limb and saying that most retail users are not gonna do that!


This brings me back to my story of my wife’s laptop which is now asking for the BitLocker recovery key because of the updates installed by Windows Update.


Are you the kind that has passwords and recovery keys written on a piece of paper - and is capable of finding that piece of paper a year down the line - when you need it?


If yes, you’re who Microsoft had in mind when they implemented BitLocker.


For the rest of us, Microsoft binds it to the Microsoft user accounts which are a different shitshow altogether and we’ll get to it shortly!


So now, as somebody who doesn't have a 48-digit key written on a piece of paper, according to Microsoft, here’s how to recover the BitLocker recovery key.


I can either:

Login into my Microsoft account to retrieve BitLocker Recovery Key

or,

use any of the other unhelpful options (in my case, might work for others) -

And it is all bullshit - if you’re using a personal computer and are not on some office computer.


If you’re on your office’s computer, and they’re big enough to have an IT department, haul it off to them and they’ll get it fixed because that BitLocker key is stored in the Active Directory account.


Else, if you’re using your personal computer - or if you’re a part of a small office that just bought and shipped the computer to you, you’re in the dock too…


All the while, keep reminding yourself that you’re being made to run around not for visiting a pornographic website but for hitting the motherfucking ‘Update Now’ button on motherfucking Windows Update.


Doing the above is very important!


Because the real headache is now tagging in -

Microsoft Accounts Are VERY Presumptive

Remember, when I said earlier that when creating a user account in Windows, you’re forced to create a Microsoft Account?


Another good in theory, and bad in implementation checkmark for Microsoft.


If you’re only gonna use Microsoft products - Outlook, Office, Bing, XBOX, good for you.


Microsoft Accounts is your one-stop get-all buffet.


But, if you’re using Gmail, Zoho, DuckDuckGo, etc, and you use your Gmail ID to create your Microsoft account - <takes a deep breath>


Microsoft automatically creates an outlook account with your GMail email as the username.


So, if your Gmail is [email protected], you’re getting another Outlook account with the same name - [email protected] -


And, to recover your BitLocker recovery key, it is this Outlook account that you need to sign in with


(This is counter-productive and counter-intuitive because in time you’re gonna forget that you even had a Microsoft account. Microsoft’s login with pin and login with fingerprint will assist that forgetfulness.)

Recovering Your Microsoft Account

Since it’ll be ages before a Windows Update lock you out of your system, you’d very likely be flagged as unauthorized access and be forced to prove your identity via a mobile OTP or Microsoft Authenticator, or an email OTP.


Most users are not gonna install Microsoft Authenticator if they’re not gonna use Microsoft Accounts (Gmail and/or GSuite users etc)


If you picked mobile OTP and haven’t changed numbers, you’ll get the OTP there and be able to log in just fine and recover your BitLocker key.


But, and this was my case because my wife switched numbers, the mobile number linked to her Microsoft Account had been inactive for a few months by now.


(Point to Note: Just having the password to your Microsoft Account is immaterial because you’ll be logging in after a long time and Microsoft wants to ensure that you’re you and so you gotta take the mobile/email OTP route)


Microsoft wants you to type in the last few recipients of your emails (sent from that Outlook account) AND the subject lines of those emails to verify that it is you trying to recover your account.


In our case, we hadn’t sent any but thankfully there were a couple of welcome emails that outlook sends out to you at the time of account creation. We used that to get access to the account but whammmmmm…


You cannot access the Recover BitLocker Key section of the account because - you did not provide the mobile OTP. So, what do you do next?


Why do you use any one of your current email IDs as the alternative recovery email and get that sorted - Right? Right?


Wrong!!


Changing a recovery method has a mandatory cooling period of 30 days during which you cannot access most of the settings sections of your Microsoft Account - including the part which has the BitLocker Recovery Key.


You can access your Outlook emails though - and the online office apps - which, if you don’t use them, don’t matter anyways.


Maybe we’re the very small minority of users and Microsoft’s only suggestion for us is to wait 30 days before they let us use our own account to recover our own computer


I once ordered something from an Eastern European country - sent it back cos they sent the wrong order - then they sent back the right item - and all of that only took a total of 25 days.


But, Microsoft thinks that needs to take longer than back-and-forth shipments across literal continents to change a security credential.


(Microsoft’s Rationale: We will use these 30-days to send messages to the old linked mobile number to confirm that basically, I’m not lying.)


In my country India, if a number is discontinued, it goes into a pool of unallocated numbers and CAN be allocated to anybody randomly.


So, if some jackass kid got assigned my old number as their new number, and when Microsoft calls them to ask - ‘Are you trying to change your Microsoft Live account credentials‘, I gotta pray:

  • That kid speaks the same language as the Microsoft person
  • That the kid is not an asshole to give wrong answers
  • That the kid is old enough to know what a Microsoft Live account is
  • That the Microsoft person is paid enough to do this properly


So, when this ordeal ends (my waiting time ends on Sept 13th), hopefully, I’ll have access back to my computer.


Formatting it was the only alternative and were it my computer, I’d have done it in a heartbeat.


But, it’s my wife’s computer and formatting is not an option. <Sigh>


Thankfully, after waiting 30 days, I got access to the settings panel and was able to get the Bitlocker recovery key and get access to my computer!

You, Will, Have No Privacy or Ownership AND You Will Like It

When I last used Windows (Windows XP SP1 days), if something broke my Windows (usually it was me tinkering), I could simply pop in the Windows XP CD and reinstall Windows and start using it - WITHOUT THE FEAR OF LOSING MY DATA.


Kids won’t know this but back in the day, we could break Windows and reinstall it - without being worried about losing our data (unless you were playing around with disk partitions). Today, a Windows Update forces me to choose between formatting my drive and waiting 30 days to access my data.


This begs the question - do you own your laptop or is it just on loan to you? Can a purposeful ‘windows update’ lock you out of your system for good?


Even in the heydays of pirated windows, the most intrusive thing they did was plaster a this-is-a-pirated-copy-of-Windows message in the bottom right.


But, I guess, in the days of mobile phones getting shipped without chargers, cars retailing for subscription-only seat-warmers, and talks of your Netflix accounts runnings ads, we’re in for a more closed ecosystem of goods and services. You cannot even take out your mobile battery because they glue it in.


You, on the other hand, will be expected to accept it as a natural order of things - and have your data used in ways right out of hyper-surveillance dystopia. But hey, if all of these transgressions enable these companies to show us hyper-tailored ADs to enable us to spend more money on more hyper-surveilled products - that, is a bargain the average user is finding easier to make by the day!


On a brighter note, my run-in with BitLocker taught me a valuable lesson -


Sometimes it is safer to hit the ‘Not Now’ button when Windows Update sends you a notification.