this post was submitted on 14 Aug 2024
300 points (97.5% liked)

Technology

59148 readers
2533 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 119 points 2 months ago (3 children)

Perfect, this will finally lock out all the old people of their devices because they forget their bitlocker password :D

[–] [email protected] 68 points 2 months ago (3 children)

I guess they'll use TPM. I'm so excited to tell half of my "clients" (all seniors in the village) that they are fucked because their Laptop died.

[–] [email protected] 50 points 2 months ago (1 children)

Yeah, this makes sense for corporate environments with keys backed up to a centralized location like Active Directory. Not for consumers with no reasonable way to keep some key like this in a safe place as a "break glass in case of emergency" option.

[–] [email protected] 43 points 2 months ago (2 children)

It backs up to the Microsoft Account

Still, some people create an @outlook.com email, set up no recovery options, forget the password, and find themselves locked out.

[–] [email protected] 10 points 2 months ago (3 children)

How do you get to your Microsoft account when your computer is locked?

[–] [email protected] 14 points 2 months ago (4 children)

If you're doing things properly, you'll know your Microsoft account password or have it in a password manager (and maybe have other account recovery options available like getting a password reset email etc.), and have a separate password for the PC you're locked out of, which would be the thing you'd forgotten. If someone isn't computer-literate, it's totally plausible that they'd forget both passwords, have no password manager, and not have set up a recovery email address, and they'd lose all their data if they couldn't get into their machine.

load more comments (4 replies)
[–] [email protected] 7 points 2 months ago (1 children)

Many people will have access to a secondary device, not all of course.

[–] [email protected] 6 points 2 months ago

Almost everyone has access to a phone. Most governments, including the US provide free or low cost smartphones to those who can't afford it. There are entire MVNO carriers based around this, like Assurance wireless.

[–] [email protected] 6 points 2 months ago

A phone or another computer?

load more comments (1 replies)
[–] [email protected] 26 points 2 months ago (1 children)

You don't need your hard drive if all your files have been secretly moved to OneDrive taps forehead.

[–] [email protected] 10 points 2 months ago

All 5 GB of them. Wait ...

[–] [email protected] 5 points 2 months ago

Oh, I can just imagine. Customers getting angry that their tech support cannot "just simply" recover their files like they used to and accuse them of scamming. Fucking thanks, Microsoft.

[–] [email protected] 16 points 2 months ago (4 children)

Keys are backed up to their MS account by default.

load more comments (4 replies)
load more comments (1 replies)
[–] [email protected] 51 points 2 months ago (5 children)

It's good, for privacy and all of course, but I remember here a Dell BIOS upgrade that basically wiped the TPM2.0 and so windows was asking for the recovery bitlocker key at boot. I have them on a encrypted USB key and anyway I can access my MS account from another device to find the key and type it.

But I'm sure a lot of people will basically say "well, fuck, I don't have the key", guaranteed.

[–] [email protected] 24 points 2 months ago (13 children)

Which brings me to the question, how is Microsoft doing this, where will people's keys be located? Do they force everybody to put in an USB stick?

[–] [email protected] 15 points 2 months ago

If you have a microsoft account that you've attached to at least one windows profile, then that machine has been registered to that account, and the bitlocker key will be stored and kept to be viewed and retrieved by logging into their microsoft account, if the machine has not been registered to a microsoft account you will either have to have jotted the very lengthy key down or have saved it to a usb

[–] [email protected] 6 points 2 months ago

From what I can tell when a customer brings in a computer they can't boot and give me a look of "what did you just say to me you little shit" when I ask them if they can log into their microsoft account, they don't give you a key.

load more comments (11 replies)
load more comments (4 replies)
[–] [email protected] 20 points 2 months ago (2 children)

This one is especially fun on windows 11 home. At least it was some time ago on some machine i worked on. Since home doesn't have the bitlocker settings fully you cannot disable bitlocker encryption. It would also auto enable sometimes even if you don't have a microsoft account, which means it doesn't back the key up anywhere. Not sure it does that anymore, i hope not, but i expect a lot of people to lose their data to this crap in the future.

In either case at least i find that full disk encryption on most machines is just overkill as it only really protects in the scenario the device is stolen and someone tries to pull data off of it that way. But in the vast majority of cases when people get their data stolen its done with malware, which disk encryption does /nothing/ to prevent.

[–] [email protected] 6 points 2 months ago

In the scenario in which your computer is forgotten or stolen, it would offer some comfort knowing that the data on the computer is not accessible.

We have a "policy" in our household that everything that has personal data should be encrypted. That is just for cases in which we lose the device or it gets stolen. That makes it a purely financial loss, and not as invasive / uncomfortable.

But on the other hand my household are not average users. So it might not work well for other people.

load more comments (1 replies)
[–] [email protected] 16 points 2 months ago

Tom’s Hardware tested this software version of BitLocker last year and found it could slow drives by up to 45 percent.

WTF‽ In Linux full disk encryption overhead is minimal:

While in pure I/O benchmarks like FIO there is an obvious impact to full disk encryption and other synthetic workloads, across the real-world benchmarks the performance impact of running under full disk encryption tended to be minimal

https://www.phoronix.com/review/hp-devone-encrypt/5

There's like five million ways you can use disk encryption on Linux though and not all of them are very performant. So keep that in mind if you see other benchmarks showing awful performance (use the settings Phoronox used).

I suspect Microsoft made some poor decisions in regards to disk encryption (probably because of bullshit/insecure-by-design FIPS compliance) and now they're stuck with them.

[–] [email protected] 16 points 2 months ago (3 children)

[…] device encryption will be enabled by default when you first sign in or set up a device with a Microsoft account or work / school account.

For devices with a TPM, this has literally been the case since Windows 10 1803 back in 2018.

load more comments (3 replies)
[–] [email protected] 13 points 2 months ago

This has been happening for a lot longer than just Windows 11.

Several people I've spoken to, who have purchased OEM computers from the likes of Dell, HP, Lenovo and others, did not know that bitlocker FDE was enabled, and they were not aware that they needed to back up their recovery key.

On at least one occasion, this caused someone to lose the contents of their laptop when Windows failed to finish booting into the OS. The drive was fine as far as I could tell, but the content on the drive would not complete the boot up sequence and would bsod/boot loop the system, so data retrieval was not possible without the recovery key, which they did not have. That was a Windows 10 Dell system from 2020 or so.

My opinion is that FDE is a good thing.

My advice is if you have FDE enabled, backup your recovery keys. It's easy, but it won't directly save to a file on the filesystem that's locked by the key to which the recovery key applies. The easiest workaround is to "print" it, then use the built in Microsoft print to PDF, then dump it wherever you want. Afterwards, put it somewhere safe. Doesn't matter where, but anywhere that isn't the encrypted drive. Maybe Google drive, maybe a USB flash drive, maybe email it to yourself. I dunno, just somewhere you can retrieve if that system isn't working.

When you're done doing that, go check the same on your parents computers, friends, brothers and sisters..... If they're someone you care about, and they have a windows computer, check. Get those recovery keys backed up somewhere.

[–] [email protected] 12 points 2 months ago* (last edited 2 months ago)

This will make people angry in waves as updates break bitlocker and cohorts don't have their key, a new one each time

[–] [email protected] 12 points 2 months ago (1 children)

I think this is a step in the right direction. Everyone can lose a portable device or it can get stolen, so protecting the potentially sensitive data is important.

I think what people are complaining about is not full-disk encryption itself, but the fact that people are not used to being responsible for their cryptographic keys.

I think we should educate people regarding this responsibility. We did it with regular keys we use to unlock our homes.

[–] [email protected] 8 points 2 months ago (3 children)

Are they even saved by default in an MS account? Because if I'd link one, I would expect them to at least prompt me

load more comments (3 replies)
[–] [email protected] 8 points 2 months ago

It still uses the TPM by default, instead of requireing a passphrase to be typed in on boot to unlock the keys. This still makes it an insecure mess.

https://yewtu.be/watch?v=wTl4vEednkQ

https://github.com/stacksmashing/pico-tpmsniffer

https://github.com/stacksmashing/LPCClocklessAnalyzer

Microsoft NEVER cares about your security. They just do the absolute bare minimum for compliance with stupid standards, and then advertise it as some crazy security improvement. Corporations lie to you all the time. If you want some actual security, you need to start using FOSS software. Most importantly a FOSS, Linux-based OS, and set it up with LUKS passphrase-based encryption.

[–] [email protected] 7 points 2 months ago (3 children)

Can't wait to get a million tickets about this. -_-

load more comments (3 replies)
[–] [email protected] 7 points 2 months ago

This is good but they need better guidance to nontechnical users how to backup their keys. Cloud backup now that they are trying to make local accounts illegal I suppose.

load more comments
view more: next ›