XPost: alt.comp.os.windows-10   
   From: mariasophia@comprehension.com   
      
   Frank Slootweg wrote:   
   > Maria Sophia  wrote:   
   >> Frank Slootweg wrote:   
   >>>> What is your recommendation for privacy on a computer, Frank?   
   > [...]   
   >>>   To answer your question: You probably mean measures to limit the   
   >>> consequences of bad actors having physical access to your (Windows)   
   >>> computer or stealing it, as that's the context of this thread. "privacy   
   >>> on a computer" is *way* too wide/unspecific/ambiguous/.   
   >>   
   >> You are correct. We're assuming a daily boot of a Windows PC with a local   
   >> account (whether Windows 11 or Windows 10) and people you trust in the home   
   >> and we're assuming the rare happenstance of a burglar with physical access.   
   >   
   >   You're making a number of essential mistakes.   
   >   
   >   For sensible people, there *is* no such thing as "a daily boot". The   
   > system is active or sleeps (Modern Standby) or is hibernated. A 'boot',   
   > actually a 'Restart' is only needed once a month at Windows Update time,   
   > if that often.   
   >   
   >> Note: Windows FDE is Bitlocker, so that is the default interpretation.   
   >   
   >   No, Windows FDE is only Bitlocker on Windows Professional, etc. On   
   > Windows Home, it's (Settings -> Privacy & Security ->) 'Device   
   > encryption', sort of Bitlocker Lite.   
   >   
   >>>   That said, my - rather obvious - recommendations are: A boot password,   
   >>> sign-in protection (password or/and other) and - if needed/practical -   
   >>> Windows' FDE or similar.   
   >>   
   >> Thank you for outlining your model to contrast with mine, where we each   
   >> optimized the threat protection in reasonably different manners.   
   >>   
   >> I. Frank's proposed security model is system centric & labor intensive.   
   >   
   >   Nope, it's not "labor intensive" at all. Set up once and forget.   
   >   
   >> II. The model I suggest is data centric & optimized for convenience.   
   >   
   >   Yes, it's data centric, but anything *but* convenient, for reasons   
   > others have already pointed out. More below.   
   >   
   >> Since the goal is for others to learn from our technical conversation   
   >> here is a point-by-point summary of the two threat models we proposed.   
   >>   
   >> A. Threat model   
   >>    1. FS assumes OS level FDE (Bitlocker) protection is required.   
   >   
   >   No, I said as needed/practical and *if* used, it's 'Device encryption'   
   > not full Bitlocker.   
   >   
   >>    2. MS assume only specific data stores need protection.   
   >>   
   >> B. Boot process   
   >>    1. FS uses a boot password and sign in protection.   
   >>    2. MS uses no boot password and no sign in password.   
   >>   
   >> C. Disk protection   
   >>    1. FS uses Windows FDE so the entire volume is encrypted at rest.   
   >>    2. MS uses Veracrypt for financial data & KeePassDX for passwords.   
   >>   
   >> D. Forensic residue   
   >>    1. FS's model encrypts swap, temp files, hibernation files & caches.   
   >>    2. MS's model protects encrypted containers leaving OS residue readable.   
   >>   
   >> E. Convenience   
   >>    1. FS accepts daily friction at boot & sign in.   
   >   
   >   No, no daily bootup and no, no 'friction'. See what the (Settings ->   
   > Accounts ->) 'Sign-in options' *really* offer. It can be as little as   
   > absolutely no action, or just one tap.   
   >   
   >>    2. MS eliminates friction at boot & sign in by only unlocking   
   >>       containers when needed (which the user may unlock only occasionally).   
   >   
   >   Which is much, much more 'work' than my setup would ever require.   
   >   
   >> F. Cloud identity   
   >>    1. FS's model can run without a Microsoft account but if Windows FDE   
   >>       is used then recovery material must be stored offline by the user.   
   >   
   >   No, Windows' 'Device encryption' doesn't require the user to keep a   
   > recovery key. The user *can* do so, to protect against a computer   
   > hardware failure.   
   >   
   >>    2. MS's model uses no OS level encryption so no recovery keys exist   
   >>       and no cloud identity is ever needed at any time (by design).   
   >   
   >   Then where *do* you keep your passwords to unlock your containers?   
   >   
   >> G. Physical theft   
   >>    1. FS's model forces the attacker to defeat FDE for all access.   
   >>    2. MS's model exposes OS data but protects financial & passwd data.   
   >>   
   >> H. Family access   
   >>    1. FS's model blocks family members without credentials.   
   >   
   >   True, but, as explained above, those 'credentials' are a non-issue.   
   >   
   >>    2. MS's model allows family access but keeps sensitive data encrypted.   
   >>   
   >> Summary   
   >>    1. FS's model maximizes system level protection & minimizes leakage.   
   >>       But at the cost of daily convenience.   
   >   
   >   No, as explained, when properly set up, there is very little to no   
   > inconvience.   
   >   
   >>    2. Ms's model maximizes daily convenience by protecting data chosen   
   >>       to encrypt (which the user may unlock only occasionally).   
   >   
   >   My summary: You're of course entitled to use your system as you see   
   > fit and so do I/others. But you methods are not 'better', i.e. have only   
   > advantages and not a single disadavantage, nor are mine. They just are   
   > different, that's all. 'Better' does not exist, not in this case and not   
   > in any other case.   
      
   Hi Frank,   
      
   This discussion is welcome because it compares very different use models.   
      
   To that end, thank you for the clarifications about Device Encryption on   
   Home versus Bitlocker on Pro. That helps narrow the terminology since you   
   didn't specify what FDE you were suggesting.   
      
   My usage pattern is different from yours perhaps because my hardware is   
   from 2009 and does not wake reliably from sleep or hibernation, so daily   
   shutdown is normal for me. I understand that many people use Modern Standby   
   instead, but my model is based on my own workflow which is perfectly valid.   
      
   Regarding wake credentials, many users still type a password or PIN when   
   the system wakes. I never type a password upon booting as I avoid that   
   constant friction by not using a local password at all. My threat model   
   assumes trusted people in the home and focuses on protecting only specific   
   data stores, which are infrequently accessed.   
      
   About recovery keys, AFAIK, Device Encryption may not require the user to   
   store one manually, but it still ties recovery to Microsoft infrastructure   
   unless the user intervenes by taking deliberate steps to prevent the   
   default behavior. My approach avoids that by not using OS level encryption.   
      
   AFAIK, Windows Device Encryption on Home automatically backs up the   
   recovery key to the user's Microsoft account unless the user actively stops   
   it. That default behavior is what ties recovery to Microsoft   
   infrastructure.   
      
      
   [continued in next message]   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)