XPost: alt.comp.os.windows-10   
   From: mariasophia@comprehension.com   
      
   Chris wrote:   
   > Brian Gregory  wrote:   
   >> On 21/01/2026 18:32, Maria Sophia wrote:   
   >>> So my practical Windows security model for a home environment is this:   
   >>>   
   >>> 1. Encrypt the small amount of data that actually matters, such as   
   >>> passwords and financial records.   
   >>> 2. Keep that data in Veracrypt containers or a password manager.   
   >>> 3. Do not rely on BIOS passwords or biometrics to protect data on a   
   >>> stolen device because they do not address that threat.   
   >>>   
   >>> Biometric marketing gimmicks solve a convenience problem, not a data   
   >>> protection problem. If we have a real fear of the people around us, that is   
   >>> a different threat model, but most home users do not need that level of   
   >>> control (IMHO) in terms of the frequency of passwords they enter.   
   >>   
   >> But it's unrealistic to expect anyone but an expert to install and use   
   >> Veracrypt containers, it's also largely unrealistic to expect them to   
   >> keep absolutely everything always in it's designated place, encrypted or   
   >> unencrypted as appropriate.   
   >>   
   >> I get that BIOS password doesn't add any real protection but why object   
   >> to it so much? It's another thing that any hacker will need to get   
   >> around before they can run any hacking tool on a PC.   
   >>   
   >> I also do not see why you regard biometric security as a gimmick. It's   
   >> dirt cheap now (cost me £12 to add a fingerprint reader to my desktop   
   >> PC) and works fairly well, and seems to err firmly towards rejecting   
   >> fingers that don't match exactly rather than accepting anything vaguely   
   >> like my finger. On cold days I even need to warm my finger before   
   >> there's any hope of it matching how it looked to the scanner on a hot day.   
   >   
   > It's simply best to ignore "Maria". He largely makes sense to only himself.   
      
   Hi Brian and Chris,   
      
   Until/unless Chris proposes a security model for us to discuss like Brian &   
   Frank kindly did, it's not appropriate for me to respond to Chris'   
   incessant personal attacks which add no value to this technical discussion.   
      
   Hence, I will stay focused on the technical points since the goal of this   
   thread is to compare practical Windows security models for home users.   
      
   Brian, you raised two reasonable concerns. The first is whether most   
   home users can manage Veracrypt or similar tools. The second is whether   
   BIOS passwords or biometrics add meaningful protection.   
      
   On the first point, any model requires some discipline. That includes   
   full disk encryption, container based encryption, or any hybrid. My view   
   is that most home users have a small amount of data that actually   
   matters, such as passwords and financial or medical records. Those items   
   can be isolated in a container or password manager without requiring the   
   user to enter credentials every day. That is the convenience tradeoff I   
   am optimizing for since my model is highly optimized for convenience.   
      
   On the second point, a BIOS password does not protect data on a stolen   
   device because the drive can be removed and read. Biometrics unlock the   
   Windows session but do not protect the drive once it is removed. They   
   solve a convenience problem, not a data at rest problem. That is why I   
   focus on encrypting the specific data stores that matter.   
      
   On biometrics, a key point is that they do not protect data at rest.   
   A fingerprint or face scan unlocks the Windows session, but once the   
   drive is removed from the laptop the biometric layer is irrelevant. The   
   data on the drive is readable unless it is encrypted. Biometrics solve a   
   convenience problem for sign in, not a data protection problem for a   
   stolen device. That is why I treat them more as a marketing gimmick rather   
   than a security control for data at rest.   
      
   Chris, if you disagree with my model, that is fine. Instead of comments   
   about me, it would help the thread if you outlined your own Windows   
   security model for a home environment, the same way Frank and I did.   
   That way readers can compare the assumptions, the threat models, and the   
   tradeoffs.   
      
   My model is simple and well thought out to be optimized for convenience.   
   1. Encrypt the small amount of data that matters.   
   2. Keep it in Veracrypt containers or a password manager.   
   3. Do not rely on BIOS passwords or biometrics for data at rest.   
   4. Optimize for convenience during daily use.   
      
   Frank's model is different from mine in being system centric.   
   My model is data centric. If Chris would like to propose a third   
   model, it would be useful to describe it so others can evaluate the   
   technical merits.   
   --   
   On Usenet old men discuss problems they've solved over the decades.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)