The power of Linux
from Aussiemandeus@aussie.zone to linux@lemmy.ml on 26 Apr 21:57
https://aussie.zone/post/19872205
from Aussiemandeus@aussie.zone to linux@lemmy.ml on 26 Apr 21:57
https://aussie.zone/post/19872205
Today i took my first steps into the world of Linux by creating a bookable Mint Cinamon USB stick to fuck around on without wiping or portioning my laptop drive.
I realised windows has the biggest vulnerability for the average user.
While booting off of the usb I could access all the data on my laptop without having to input a password.
After some research it appears drives need to be encrypted to prevent this, so how is this not the default case in Windows?
I’m sure there are people aware but for the laymen this is such a massive vulnerability.
threaded - newest
Same in Linux. No disk encryption and everything is easy accessible if you have physical access.
Physical access wouldn’t seem so hard. Say you worked at the company company and wanted to get the files your boss has on your evaluation or something. Wait till they’re on lunch, plug in a usb and pull them up.
I imagine patient records wouldn’t be encrypted either
Any respectable company with Windows would be using BitLocker - full disk encryption. It’s super easy to setup if your computer has TPM, fully transparent for the user in most cases.
My work macbook won’t even let me mount an external storage device, but it doesn’t seem to care about my nextcloud client running in the background. Sorry for my blasphemous behaviour my cyber security comrades 🫡🥺
That’s why you can’t just boot from an usb
If computerised, they freaking well should be.
In general they’d be in a database with it’s own accesss control to interfaces and the databases data store should be encrypted. In my country there are standards for all healthcare IT systems that would include encryption and secure message exchange between systems. If they breached those they’d be in trouble.
If your doctor has a paper file in a filing cabinet on premises, written in English, then yes. The security is only the physical locks, just like your hme pc.
such a “hack” would only work in a poorly written tv show
an unencrypted drive is like being able to look into a bank though a window, not ideal but things of value could/should/would still be in a safe or somewhere else completely
Unless someone ticked the “encrypt storage”-box in the installer, you don’t even have to pay for Pro to use it!
And this is why we say physical access is root access.
Absolutely it’s crazy that it’s so simple that you can do it in the space of 5v minutes.
You should look into HDD platter recovery. There’s some really high quality stuff on YouTube.
Aw buddy.
Go look at the free software called autopsy
This is only a vulnerability if you suspect a threat actor might physically access your computer. For most people, this is not a concern. There’s also the issue that it has processing overhead, so it might make certain operations feel sluggish.
Encryption is not a panacea, because if someone ever forgets their password (something common for the layperson), the data on that drive is inaccessible. No chance for recovery. Certain types of software may not like it either. It’s one of many considerations someone should make when determining their own threat model, but this is not a security flaw. It’s an option for consideration, and most people are probably better off from a useability standpoint with encryption disabled by default.
I think it just really goes to show you can’t hide anything on a computer physically.
I also feel this is something that should be taught in school (maybe it is i finished school over 13 years ago)
I always knew there were ways to recover files off of hard drives. I just assumed they needed to be physically remounted not just plug in a usb and off you go
Physically remounting a drive is the same thing as just plugging in a USB and going to town. Instead of taking the drives to a different system, you’re bringing the different system to the drives!
where I live they never really taught conputer literacy. some places teach ms office and that’s it
What do you mean? It’s certainly possible when using encryption software such as bitlocker. It’s just not always enabled by default.In fact it’s saved my ass from total data loss a couple of times.
If you can make sure nobody has physical access to your pc than there’s a case to be made that you don’t need it, and if you can’t and are afraid that someone has both knowledge of this fact and the intention to (ab)use it, you use bitlocker.
It’s because of stuff like this that Microsoft wants people to create an Microsoft account. Recovery key automatically saved to your Microsoft account. For business the recovery key can also be automatically saved in a central location.
Previous versions of Windows only permitted drive encryption in their premium tiers, and it seems like the current one possibly requires a TPM chip for it, so a lot of hardware won’t even support it. So basically greed or greed.
For what it’s worth it’s not always a default with Linux installations either. There’s a usually minor performance hit, though I can’t say it ever bothered me. Personally I have less fear of bad actors obtaining physical access than I do myself breaking something catastrophically and losing my access, so I don’t use it now.
Are you saying the performance hit is from running off an encrypted drive?
There will be some additional time and resources required to read and write encrypted data, even if minor.
Given that AES instructions have been implemented directly in the CPU since 2008, any performance penalty should be negligible.
Thank you for the info! I like your username.
It actually is now
And people are pissed because they don’t realize, and when they don’t have the key any more, all their data is gone!
The encryption key is stored remotely and can be retrieved through the Microsoft account
That assumes they know which Microsoft account it was attached to, the password, and have another device to access that account and retrieve the recovery key. If they did the setup five years ago, they’ve probably forgotten all that info.
IIRC, this is one of the reasons that Windows 11 requires TPM 2.0, so that the drive can be encrypted using the TPM as the key.
Good practice is putting anything important on an encrypted USB drive (as that stuff usually isn’t very big), and just treating the machine as “kinda insecure”
If you set up a BIOS password, someone at least needs to unscrew your computer to get stuff. But this is generally not setup because people, well, forget their passwords…
Yep! They don’t teach this stuff because consumer level cyber security is in the absolute pits of despair and moreover, they’re trying to do away with what little we have access to. Governments and police agencies like how easy it is to access files.
Personally I don’t bother with full disk encryption (FDE) since I don’t really have anything private on my main computer. Just a bunch of game files, comics, movies, etc. Anything extremely important such as tax documents, personal data, etc. is honestly very small and I keep in a little Proton Drive folder, <1GB total. I think the best approach is to simply educate yourself and be aware of what’s worth protecting and how best to protect that. Just enabling FDE and thinking you’re safe ignores all the other avenues that personal data can be stolen.
My current pet conspiracy theory is that FDE with BitLocker isn’t even worth it on Windows due to the TPM requirement. Why is that a bad thing? Your system probably has fTPM supported by the BIOS, why not just enable that?
techcommunity.microsoft.com/blog/…/4339066
ieeexplore.ieee.org/document/5283799 (I don’t believe we’ll see this EXACT implementation of DRM, I’m just providing an example of TPM being used for DRM and that these ideas have been in consideration since at least 2009).
Now, if I were Microsoft and I wanted to exert an excessive amount of control over your system by making sure you couldn’t run any inauthentic or “pirated” software to bring it more inline with the walled garden Apple approach they’ve been salivating over for the past decade+, you’d first need to ensure you had a good baseline enabled. You know, kind of like the thing you’d do by forcing everyone into an OS upgrade and trashing a lot of old hardware.
It won’t be instantaneous, I don’t know exactly how or what it’s going to look like when they start tightening their grip. Again, this is all speculation, but it’s not hard to connect the dots and their behavior over the past couple years does not give them the benefit of the doubt. Microsoft is no longer a company that can be assumed to be acting in the best interest of the average consumer, they’re not doing this for your security. They want to know that your computer is a “trusted platform”.
EDIT: Further lunatic conspiracy theories: BitLocker is/will be backdoored so Microsoft forcing you into that ecosystem further guarantees they have access to your system. This all stinks to me, like your landlord telling you how you can arrange the furniture in your own apartment.
security in terms of Trusted Computing is never about your security, and neither about your trust
a backup of your bitlocker key is in your Microsoft account, and normally nowhere else. It’s pretty easy for Microsoft to lock you out of your ow computer and data completely, if they wanted. Because you supposedly violated a license, or the terms of use or anything. just sayin’, Microsoft already has (and had for a few years now) a scandal about extorting for your personal phone number by locking down your account a few days after registration, until you hand it over. and even there they justify it with a ToS violation, which is just a lie
For those not in the know, “Trusted Computing” is a very specific THING and maybe not what you’d expect, en.wikipedia.org/wiki/Trusted_Computing
You can pretty much guess where I land.
You make a good point, I’m missing the forest for the trees. Why even bother theorizing that BitLocker may be compromised when they’re removing local accounts for consumers and forcing the key to be uploaded to their servers anyway?
They’re not forcing it. You can still create local accounts (though it takes some work) and it doesn’t require you to upload any keys. I have bitlocker enabled with a local account and no Microsoft account connection.
they are forcing it. if you are not determined, you won’t be able to get an offline account. many are not determined. many don’t even realize that it’s not for their benefit, even after onedrive starts announcing it daily that their drive is full
yeah, with that, it’s basically compromised, but maybe not bitlocker itself but the key storage
I thought BitLocker was enabled by default on Windows 11, which is a terrible idea imo. Full disk encryption by default makes sense in professional settings, but not for the average users who have no clue that they’ll lose all their data if they lose the key. If I had a penny for every Windows user who didn’t understand the BitLocker message and saved the key on their encrypted drive, I’d have a lot of pennies. At the very least it should be prompted to give the user a choice.
Windows does not let you save the key to the drive being encrypted. (Unless you access it via SMB share, which I’ve done a number of times during setup before moving it off.)
You mean it prevents people from writing the key on a piece of paper when they get the BitLocker message, then copy it on a text file once their session is running and throw the paper away or lose it later ?
This is true - it is enabled by default in win11. I disagree with you it being a terrible idea - imagine all the sentistive data people put on their hard drives - would they want to to fall in the wrong hands if they lose their computer? Or if their hard drives fails so they can do a secure wipe?
I’m not a fan of Microsoft, but they did solve the key issue in the enterprise setting by storing the key in they entrance identity. Same should be done for home consumers, since having a Microsoft account is being shoved in everyone’s throat anyway…
Yeah, should be noted that bitlocker is only default enabled if you set windows up with a Microsoft account, since it then saves the recovery info on that account “in the cloud”.
If you set it up with a local account, you still need to enable it manually, so that you can save the recovery info somewhere else.
Yeh. But also this allowed me to save my files from my dying windows drive while moving to linux, so sometimes giant security holes can be handy.
This is entirely expected behavior. You didn’t encrypt your drive, so of course that data is available if you sidestep windows login protections. Check out Bitlocker for drive encryption.
How old is your laptop? Pretty much every Windows machine I’ve ever owned after a certain year requires you to type in your Bitlocker key, including my first-gen Surface Go from 2018.
Also, you often have to manually set up encryption on most Linux installs as well - I did it for my Thinkpad. I need to do it for my desktop as well - I should probably do a reinstall, but I’m thinking of backing everything up and trying to do it in-place just for fun. On top of that, we can finally transition to btrfs.
<img alt="Wink" src="https://startrek.website/pictrs/image/5c7f7b9b-ab20-4043-b324-90ae7df73d79.apng">
This is interesting. I had a work computer require this ~4 years ago, but not one of the three since have (personal and different employers.)
Microsoft used to have a division for testing windows on various hardware configurations. They stopped doing that when they could just put different versions of windows on people’s computers and use telemetry to check the differences. This could be an artifact of that.
I think my laptop is from 2018 so is getting old. It’s an asus predator gaming laptop
A secure future proof Whenblows 11 is akin to a healthy wealthy fentynal addict.
By the way, no different for Linux, if you boot off of USB you can mount partitions and access anything if not encrypted and linux windows, encryption is not the default.
I still remember years ago one time windows fucked itself and god knows why I couldn’t fix it even with USB recovery or stuff like that (long time ago, I don’t remember).
Since I couldn’t boot into recovery mode the easiest way to backup my stuff to a connected external drive was “open notepad from the command line -> use the GUI send to… command to send the files to the external drive -> wait and profit” lol.
Anon discovers computers
Windows does support encrypted drives with Bitlocker, unfortunately Bitlocker’s default settings leave it vulnerable to many different attacks.
Yup. You’ll need to tkinker with Linux too if you want disk encryption. At the very least, set a BIOS password.
I think on laptops Windows i trying to encrypt the drives. Maybe online if you are logged in to a Microsoft account for bitlocker to save the encryption key. Encrypting the drives should be your decision to take.
Yes, my sister bought a laptop it had windows and bitlocker installed.
She doesn’t know what any of those things are nor does she have an encryption key.
So she was not able to resize her partition to try to dual boot linux - she’d have to totally kill windows (which I suggested, of course, but you know. . . ).
It stops her doing what she wants because she was given something she doesn’t understand by people who didn’t explain it. At least she is “safe” though according to someone else’s definition. I guess coud’ve just said “Basically, microsoft” for short.
Microsoft makes all the decisions for you.
Try using a virtual machine before doing a full switch
This is a case where Windows-bashing is hypocritical. Almost no Linux distro has disk encryption turned on by default (PopOS being the major exception).
It’s dumb and inexcusable IMO. Whatever the out-of-touch techies around here seem to think, normies do not have lumbering desktop computers any more. They have have mobile devices - at best laptops, mostly not even that.
If an unencrypted computer is now unacceptable on Android, then it should be on Linux too. No excuses.
I always turn on LUKS during install. The only exceptions are when I’m doing tests of different distros on my machine that I lovingly call “FuckAround”.
It really is the best way to find out.
it’s usually an option in the guided disk partition
Linux is about choice, not whatever someone else thinks it’s acceptable
Sure. But defaults are important.
Echoing Jubilant Jaguar’s sentiment about defaults mattering, I think that sometimes an excess amount of choice can be overwhelming such that a user is less empowered to make choices about things they do care about (Leading to a less steep learning curve). Sensible defaults need not remove anyone’s choice
I don’t disagree with the premise. I may disagree encrypted hard drive by default a sensible choice
When is the last time you carried your desktop outside? Forgot it somewhere?
No, it’s a choice, because:
History… encryption didn’t exist in the beginning. Upgrades won’t enable it.
Recovery… try telling the people that didn’t backup the encryption key - outside of the encrypted vault - that their data’s gone.
Performance… not such an issue these days, but it does slow your system down (and then everyone complains)
So, please continue to encrypt your data as you choose and be less judgemental on others, esp. anyone new
Blah blah blah. Unencrypted data is the wrong default in 2025 for any OS. Linux should not be a poor man’s OS.
I will definitely say I wish encryption setup was a lot easier in Linux. Windows is like “wanna Bitlocker?” Done.
With most Linux installers, if you’re not installing in a very default way, and clicking that box to encrypt the drive, it’s time to go seriously digging. For a while.
I managed to encrypt a secondary drive with the same password on my EndeavourOS laptop, but I still need to enter the same password 2 times before getting into the OS.
I consider that a feat, and I’m not touching it for fear of losing everything lol.
You can’t enable encryption after the fact? What a backwards system…
It’s the same situation with Linux just a simple login only has very basic protection you need to encrypt your disk if you want to make sure no one can read it.
Does book still mean cool?
No idea, it’s meant to be bootable
I’m happy that you’re on a journey of discovery. This is not an insult. The word is partition. Someone corrected me on the spelling of something last night. We all make mistakes.
Modern windows machines will be installed with bitlocker (full disk encryption). With manual installs it might not be.
I have a Windows 11 work laptop, I might try it out and see what happens