Today i took my first steps into the world of Linux by creating a bookable Mint Cinamon USB stick to fuck around on without wiping or portioning my laptop drive.
I realised windows has the biggest vulnerability for the average user.
While booting off of the usb I could access all the data on my laptop without having to input a password.
After some research it appears drives need to be encrypted to prevent this, so how is this not the default case in Windows?
I’m sure there are people aware but for the laymen this is such a massive vulnerability.
Yes, any laptop without an encrypted storage drive will have its data accessible by someone booting from a live USB.
It really is a massive vulnerability, but it’s not well known because so few people even understand the concept of a ‘live USB’ to make it a widespread threat or concern.
So yeah, if you’re ever in possession of a Windows machine that doesn’t have an encrypted disk, you can view the users’ files without knowing their password via a live USB.
It’s also not limited to laptops.
This is not that big of a deal most of the time, since you are the only person interacting with your computer, but it’s worth remembering when you decide to recycle or donate – you have to securely wipe in that case. Also bear in mind, if you do encrypt your drive, there are now more possibilities for total data loss.
Oh, fun fact: you can change a users windows password inside Linux. Comes in handy for recovery, ie, user forgot their password.
I’m happy that you’re on a journey of discovery. This is not an insult. The word is partition. Someone corrected me on the spelling of something last night. We all make mistakes.
(especially with reference to a country with separate areas of government) the action or state of dividing or being divided into parts.
Modern windows machines will be installed with bitlocker (full disk encryption). With manual installs it might not be.
I think Bitlocker isn’t even supported on Windows 11 Home. I was shocked when I wanted to set up disk encryption on my wife’s notebook.
It’s got like a “lite” version. You have to use the terminal to check if it’s enabled but that’s that Microsoft started doing in win10 home. I assume some asshat in marketing got the agreement they could keep their branding even if Microsoft gave out encryption for free.
Personally I found it made more sense to just bring an old pro license so I could be sure it was enabled.
I have a Windows 11 work laptop, I might try it out and see what happens
And this is why we say physical access is root access.
Absolutely it’s crazy that it’s so simple that you can do it in the space of 5v minutes.
You should look into HDD platter recovery. There’s some really high quality stuff on YouTube.
Aw buddy.
Go look at the free software called autopsy
Same in Linux. No disk encryption and everything is easy accessible if you have physical access.
Unless someone ticked the “encrypt storage”-box in the installer, you don’t even have to pay for Pro to use it!
Physical access wouldn’t seem so hard. Say you worked at the company company and wanted to get the files your boss has on your evaluation or something. Wait till they’re on lunch, plug in a usb and pull them up.
I imagine patient records wouldn’t be encrypted either
I imagine patient records wouldn’t be encrypted either
If computerised, they freaking well should be.
In general they’d be in a database with it’s own accesss control to interfaces and the databases data store should be encrypted. In my country there are standards for all healthcare IT systems that would include encryption and secure message exchange between systems. If they breached those they’d be in trouble.
If your doctor has a paper file in a filing cabinet on premises, written in English, then yes. The security is only the physical locks, just like your hme pc.
Any respectable company with Windows would be using BitLocker - full disk encryption. It’s super easy to setup if your computer has TPM, fully transparent for the user in most cases.
My work macbook won’t even let me mount an external storage device, but it doesn’t seem to care about my nextcloud client running in the background. Sorry for my blasphemous behaviour my cyber security comrades 🫡🥺
such a “hack” would only work in a poorly written tv show
an unencrypted drive is like being able to look into a bank though a window, not ideal but things of value could/should/would still be in a safe or somewhere else completely
That’s why you can’t just boot from an usb
By the way, no different for Linux, if you boot off of USB you can mount partitions and access anything if not encrypted and linux windows, encryption is not the default.
This is a case where Windows-bashing is hypocritical. Almost no Linux distro has disk encryption turned on by default (PopOS being the major exception).
It’s dumb and inexcusable IMO. Whatever the out-of-touch techies around here seem to think, normies do not have lumbering desktop computers any more. They have have mobile devices - at best laptops, mostly not even that.
If an unencrypted computer is now unacceptable on Android, then it should be on Linux too. No excuses.
It’s dumb and inexcusable IMO
No, it’s a choice, because:
-
History… encryption didn’t exist in the beginning. Upgrades won’t enable it.
-
Recovery… try telling the people that didn’t backup the encryption key - outside of the encrypted vault - that their data’s gone.
-
Performance… not such an issue these days, but it does slow your system down (and then everyone complains)
So, please continue to encrypt your data as you choose and be less judgemental on others, esp. anyone new
No excuses.
I will definitely say I wish encryption setup was a lot easier in Linux. Windows is like “wanna Bitlocker?” Done.
With most Linux installers, if you’re not installing in a very default way, and clicking that box to encrypt the drive, it’s time to go seriously digging. For a while.
I managed to encrypt a secondary drive with the same password on my EndeavourOS laptop, but I still need to enter the same password 2 times before getting into the OS.
I consider that a feat, and I’m not touching it for fear of losing everything lol.
Yes, I feel your pain.
Encryption drives sound like a good idea until the subject of unlocking them comes up… and automatically unlocking the drive for the OS isn’t really helping.
But, for user data, it can be unlocked automatically during login. The Arch wiki covers this.
But backup your data 😉
Blah blah blah. Unencrypted data is the wrong default in 2025 for any OS. Linux should not be a poor man’s OS.
It depends on your use-case.
Encryption of data at rest (this discussion) is mostly helpful for physical theft, so a device that never leaves the house, there’s little reason for encryption.
Similarly, on a lower powered mobile device, maybe you only want / need user data to be encrypted, and there’s no need to encrypt the OS, which keeps the performance up.
Maybe you want the whole thing encrypted on your high performance laptop.
So, it’s difficult to define a sane default for everyone, thus making it an option for the end user to decide on.
Linux has more choice than Windows - and the encryption algorithm(s) can be verified - so it’s definitely the better choice.
You can’t enable encryption after the fact? What a backwards system…
For which OS?
It can be enabled at any time on Windows & Linux. It’s just optional.
It’s your bullet point number 1
That says that upgrades won’t enable it… the user can still enable it.
-
Almost no Linux distro has disk encryption turned on by default (PopOS being the major exception).
it’s usually an option in the guided disk partition
If an unencrypted computer is now unacceptable on Android, then it should be on Linux too. No excuses.
Linux is about choice, not whatever someone else thinks it’s acceptable
Sure. But defaults are important.
Defaults are generally who do not want to understand in depth what they are doing (no offence). Example from other sphere: in R-Cran (used to write statistical models), some functions have defaults to either choose a particular algorithm or an optimisation value. I have heard almost about nobody among students, PhDs and even higher up the ladder, who took the time to understand what is happening below the shell. Instead these people took just the defaults, it worked (result was significant), done. However, if they may have chosen another algorithm, things may have turned differently, which would open up a box with many questions concerning modelling adequacy and understanding of data. It is the same with defaults in Linux.
Echoing Jubilant Jaguar’s sentiment about defaults mattering, I think that sometimes an excess amount of choice can be overwhelming such that a user is less empowered to make choices about things they do care about (Leading to a less steep learning curve). Sensible defaults need not remove anyone’s choice
I don’t disagree with the premise. I may disagree encrypted hard drive by default a sensible choice
If an unencrypted computer is now unacceptable on Android, then it should be on Linux too. No excuses.
When is the last time you carried your desktop outside? Forgot it somewhere?
I always turn on LUKS during install. The only exceptions are when I’m doing tests of different distros on my machine that I lovingly call “FuckAround”.
It really is the best way to find out.
Anon discovers computers
I thought BitLocker was enabled by default on Windows 11, which is a terrible idea imo. Full disk encryption by default makes sense in professional settings, but not for the average users who have no clue that they’ll lose all their data if they lose the key. If I had a penny for every Windows user who didn’t understand the BitLocker message and saved the key on their encrypted drive, I’d have a lot of pennies. At the very least it should be prompted to give the user a choice.
This is true - it is enabled by default in win11. I disagree with you it being a terrible idea - imagine all the sentistive data people put on their hard drives - would they want to to fall in the wrong hands if they lose their computer? Or if their hard drives fails so they can do a secure wipe?
I’m not a fan of Microsoft, but they did solve the key issue in the enterprise setting by storing the key in they entrance identity. Same should be done for home consumers, since having a Microsoft account is being shoved in everyone’s throat anyway…
It’s a matter of perspective I guess. I’m not a fan of overkill security measures that get too much in the way of usability and risk creating problems for you, especially when physical access is a minor risk in most cases. I agree that having a Microsoft account to backup your key is a solution, but not a very good one since you trade vulnerability to a possible physical access that probably is never going to happen for the absolute certainty of your data being spied on by Microsoft…
Yeah, should be noted that bitlocker is only default enabled if you set windows up with a Microsoft account, since it then saves the recovery info on that account “in the cloud”.
If you set it up with a local account, you still need to enable it manually, so that you can save the recovery info somewhere else.
Windows does not let you save the key to the drive being encrypted. (Unless you access it via SMB share, which I’ve done a number of times during setup before moving it off.)
You mean it prevents people from writing the key on a piece of paper when they get the BitLocker message, then copy it on a text file once their session is running and throw the paper away or lose it later ?
While booting off of the usb I could access all the data on my laptop without having to input a password.
This is entirely expected behavior. You didn’t encrypt your drive, so of course that data is available if you sidestep windows login protections. Check out Bitlocker for drive encryption.
It’s the same situation with Linux just a simple login only has very basic protection you need to encrypt your disk if you want to make sure no one can read it.
Windows does support encrypted drives with Bitlocker, unfortunately Bitlocker’s default settings leave it vulnerable to many different attacks.
Yeh. But also this allowed me to save my files from my dying windows drive while moving to linux, so sometimes giant security holes can be handy.
I’m sure there are people aware but for the laymen this is such a massive vulnerability.
This is only a vulnerability if you suspect a threat actor might physically access your computer. For most people, this is not a concern. There’s also the issue that it has processing overhead, so it might make certain operations feel sluggish.
Encryption is not a panacea, because if someone ever forgets their password (something common for the layperson), the data on that drive is inaccessible. No chance for recovery. Certain types of software may not like it either. It’s one of many considerations someone should make when determining their own threat model, but this is not a security flaw. It’s an option for consideration, and most people are probably better off from a useability standpoint with encryption disabled by default.
Encryption is not a panacea, because if someone ever forgets their password (something common for the layperson), the data on that drive is inaccessible.
It’s because of stuff like this that Microsoft wants people to create an Microsoft account. Recovery key automatically saved to your Microsoft account. For business the recovery key can also be automatically saved in a central location.
I think it just really goes to show you can’t hide anything on a computer physically.
I also feel this is something that should be taught in school (maybe it is i finished school over 13 years ago)
I always knew there were ways to recover files off of hard drives. I just assumed they needed to be physically remounted not just plug in a usb and off you go
Physically remounting a drive is the same thing as just plugging in a USB and going to town. Instead of taking the drives to a different system, you’re bringing the different system to the drives!
where I live they never really taught conputer literacy. some places teach ms office and that’s it
I think it just really goes to show you can’t hide anything on a computer physically.
What do you mean? It’s certainly possible when using encryption software such as bitlocker. It’s just not always enabled by default.In fact it’s saved my ass from total data loss a couple of times.
If you can make sure nobody has physical access to your pc than there’s a case to be made that you don’t need it, and if you can’t and are afraid that someone has both knowledge of this fact and the intention to (ab)use it, you use bitlocker.
