Bitlocker Security Questions

hsehestedt · Saturday at 9:37 AM

kelper said:
According to this article Guidance related to Secure Boot Manager changes associated with CVE-2023-24932 | MSRC Blog | Microsoft Security Response Center

"We will be enforcing the protections in three phases to reduce customer and industry partner impact with existing Secure Boot while applying this change.

May 9, 2023: The initial fix for CVE-2023-24932 is released. In this release, this fix requires the May 9, 2023, Windows Security Update and additional customer action to fully implement the protections.

July 11, 2023: A second release will provide additional update options to simplify the deployment of the protections.

First quarter 2024: This final release will enable the fix for CVE-2023-24932 by default and enforce bootmanager revocations on all Windows devices."

I promised that I would follow up with you on this. While I don't know why, the enforcement phase has shifted dramatically.

Reference:

How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support

support.microsoft.com

Wow, a slip of at least two years. I guess that I really should not be surprised. After all, this is Microsoft that we are talking about

hdmi · Saturday at 11:24 AM

TraderGary said:
@hdmi, I notice that you are listing two laptop computers. Out of curiosity, what security do you use while mobile?

I never use my 2 laptops while mobile, nor ever use them for anything work related. They are for my own personal hobby stuff only. I have them set up so Device Encryption is off (whereas BitLocker Drive Encryption is unavailable due to running the Home edition of Windows 11) and they boot/resume straight to desktop. I can't publicly discuss work related security topics except that what I use for work never actually comes in contact with Windows. Whereas every computer I've used for my hobbies never ran any OS that wasn't made by Microsoft. Ever. (My first OS was MSX-DOS on a MSX1 computer after I finally found enough cash to equip it with an external MSX-compatible floppy drive.)

TraderGary · Saturday at 1:03 PM

hdmi said:
I never use my 2 laptops while mobile, nor ever use them for anything work related. They are for my own personal hobby stuff only. I have them set up so Device Encryption is off (whereas BitLocker Drive Encryption is unavailable due to running the Home edition of Windows 11) and they boot/resume straight to desktop. I can't publicly discuss work related security topics except that what I use for work never actually comes in contact with Windows. Whereas every computer I've used for my hobbies never ran any OS that wasn't made by Microsoft. Ever. (My first OS was MSX-DOS on a MSX1 computer after I finally found enough cash to equip it with an external MSX-compatible floppy drive.)

Great! I was there from the beginning too. My first computer was the original IBM PC in 1981. I debated at the IBM Store whether to go with CPM or Microsoft DOS. The tech at the IBM Store said that, without a doubt, the future would be with Microsoft. I went with MS DOS and the rest is history.

I travel a good bit and since I trade for a living, I can work from anywhere in the world that has an Internet connection. It's vitally important to me that my trading data is secure if my computer or backup SSD drives were to be lost or stolen, thus my decision to use BitLocker. I've used BitLocker since it was implemented in 2007. It's disturbing to me that you find BitLocker to be unsecure and to be avoided.

Do you use Microsoft Security (Defender)?

XxXxX · Saturday at 8:07 PM

my laptop, a rebuilt 2017 Dell 13" latitude i5, which i use when out and about
runs Ubuntu 22.04.5 LTS is back ported 24.04 LTS, hardened kernel, app armoured, LUKS encrypted and firewalled
runs its own resolving/cacheing DNS server uses encrypted connections and is totally locked down.
if anybody wants to hack that good luck to them.

best of luck, Steve ..

Win711 · Saturday at 9:45 PM

TraderGary said:
It's vitally important to me that my trading data is secure if my computer or backup SSD drives were to be lost or stolen

I trade mobile too but nothing about me is stored or needs to be stored on the drive/phone. How do you see it differently?

TraderGary · Saturday at 11:09 PM

Win711 said:
I trade mobile too but nothing about me is stored or needs to be stored on the drive/phone. How do you see it differently?

For the past 25 years I've made my living trading. We probably trade differently and use data differently.

Win711 · Sunday at 12:12 AM

TraderGary said:
For the past 25 years I've made my living trading. We probably trade differently and use data differently.

You should call your broker and ask what account information is stored locally on your device.

Any broker I've ever seen requires a username and password to log into an installed desktop or web-based software, rather than account numbers, and that info can be cleared (or chosen to not remember). And the software is just for trading. To actually move money requires logging into the website which then requires 2fa to send a wire, and to ACH requires your name be on both the sending and receiving account. Either way you'll get an email announcing the move.

And whether you have bitlocker or not, if your device is lost, you'd still call your broker and change your passwords, so bitlocker is really only making it harder to recover data if a drive fails and not really adding anything in terms of security, unless you're securing other things, like tax forms, in which case I'd ask why you'd be carrying that around.

TraderGary · Sunday at 2:33 AM

Win711 said:
You should call your broker and ask what account information is stored locally on your device.

Any broker I've ever seen requires a username and password to log into an installed desktop or web-based software, rather than account numbers, and that info can be cleared (or chosen to not remember). And the software is just for trading. To actually move money requires logging into the website which then requires 2fa to send a wire, and to ACH requires your name be on both the sending and receiving account. Either way you'll get an email announcing the move.

And whether you have bitlocker or not, if your device is lost, you'd still call your broker and change your passwords, so bitlocker is really only making it harder to recover data if a drive fails and not really adding anything in terms of security, unless you're securing other things, like tax forms, in which case I'd ask why you'd be carrying that around.

That's all elementary. I trade with Interactive Brokers using Interactive Brokers Trader Workstation. I log in securely with biometric 2FA. Having traded for 25 years, I have a large trading account. It accumulates tax free as it was originally started years ago from a 401-K Rollover Account. Tax free accumulation over 25 years, as you might imagine, has been significant. I'm only taxed at current income on what I take out. I've been regularly moving my income to my bank account for 25 years, so of course I know how all that works.

I'm a short-term technical trader and do mostly day trading. I keep chart and data records on every trade I make. I never want to lose this data because of how I use it in my trading.

My backup strategy uses the 3-2-1 rule.
3 copies of my data, using
2 different technologies,
1 of which must always be offsite.

I make daily Macrium Reflect images alternating on two 4TB Samsung T9 Portable SSD drives, each rotating 7 images.
For my offsite backup copy, I mirror my local OneDrive data in real-time to 1TB of cloud OneDrive.

My computer and my portable SSD drives all use BitLocker.

Win711 · Sunday at 4:55 AM

TraderGary said:
That's all elementary. I trade with Interactive Brokers using Interactive Brokers Trader Workstation. I log in securely with biometric 2FA. Having traded for 25 years, I have a large trading account. It accumulates tax free as it was originally started years ago from a 401-K Rollover Account. Tax free accumulation over 25 years, as you might imagine, has been significant. I'm only taxed at current income on what I take out. I've been regularly moving my income to my bank account for 25 years, so of course I know how all that works.

I'm a short-term technical trader and do mostly day trading. I keep chart and data records on every trade I make. I never want to lose this data because of how I use it in my trading.

My backup strategy uses the 3-2-1 rule.
3 copies of my data, using
2 different technologies,
1 of which must always be offsite.

I make daily Macrium Reflect images alternating on two 4TB Samsung T9 Portable SSD drives, each rotating 7 images.
For my offsite backup copy, I mirror my local OneDrive data in real-time to 1TB of cloud OneDrive.

My computer and my portable SSD drives all use BitLocker.

That's great but I don't see what advantage you get from bitlocker on your laptop, except to make recovery more difficult if your drive were to fail in between backups. All anyone could do is view your trading notes. They'd still need your biometrics and phone to steal any money.

I only daytrade forex, for the leverage, then use a basket of stocks to store money using a cost-averaging strategy, mainly because I feel like owning shares gives me more rights than owning cash. Sometimes I have to go out during NFP, FOMC, or some news event that makes the market swing wildly, so I need some mobile platform to not miss an opportunity, but would never dream of complicating matters with encryption. There is nothing to encrypt except some bookmarks, pics, and videos. But if I were storing crypto wallets and seed phrases then yeah, I'd definitely want encryption. I'd be pretty dumb to be carrying that around though.

TraderGary · Sunday at 6:32 AM

Win711 said:
That's great but I don't see what advantage you get from bitlocker on your laptop, except to make recovery more difficult if your drive were to fail in between backups. All anyone could do is view your trading notes. They'd still need your biometrics and phone to steal any money.

I only daytrade forex, for the leverage, then use a basket of stocks to store money using a cost-averaging strategy, mainly because I feel like owning shares gives me more rights than owning cash. Sometimes I have to go out during NFP, FOMC, or some news event that makes the market swing wildly, so I need some mobile platform to not miss an opportunity, but would never dream of complicating matters with encryption. There is nothing to encrypt except some bookmarks, pics, and videos. But if I were storing crypto wallets and seed phrases then yeah, I'd definitely want encryption. I'd be pretty dumb to be carrying that around though.

I won't argue with what you want to do with your drives and data. We simply differ, that's all.

If your drives are lost or stolen, you don't mind anyone combing through all your stuff.

If my drives are lost or stolen, nobody can comb through all my stuff as it's encrypted.

That was easy, wasn't it?

kelper · Sunday at 6:40 AM

I wonder. Here, in the UK, if you put a padlock on your business's van, it advertises that something valuable is inside. Perhaps putting Bitlocker on suggests the laptop contains valuable data!

hsehestedt · Sunday at 7:36 AM

kelper said:
I wonder. Here, in the UK, if you put a padlock on your business's van, it advertises that something valuable is inside. Perhaps putting Bitlocker on suggests the laptop contains valuable data!

A lock can be seen from a distance. No would know that you have BitLocker on your system until they first have physical access to your system, presumably because they have already stolen that PC before they ever even knew that it has BitLocker.

kelper · Sunday at 7:57 AM

I realise that but an opportunistic thief might get curious, or he might just wipe the disk.

hsehestedt · Sunday at 8:05 AM

kelper said:
I realise that but an opportunistic thief might get curious, or he might just wipe the disk.

Personally, I don't care nearly as much if my computer is stolen or disk is wiped as I would if they got access to my data. My entire life is on my drive in digital form.

TraderGary · Sunday at 8:37 AM

hsehestedt said:
Personally, I don't care nearly as much if my computer is stolen or disk is wiped as I would if they got access to my data. My entire life is on my drive in digital form.

@hsehestedt Do you use BitLocker?

hsehestedt · Sunday at 9:52 AM

TraderGary said:
@hsehestedt Do you use BitLocker?

Yes! I love BitLocker. I've been using it for years. I use BitLocker on every single computer that I own

.

I also employ a scheme that I discussed on this forum a day or two ago whereby I use a my own personally selected 48-digit key because I can compute that number in my head. Therefore I have no need to backup or store my BitLocker key anywhere

.

EDIT: That discussion was in this very thread, found here:

Bitlocker Security Questions

@hdmi, you do bring up the point that Microsoft is indeed fallible. No one can ever argue that they are infallible. ;-) For me, BitLocker meets my security requirements, and I am confident using it. As always, YMMV.

www.elevenforum.com

Win711 · Sunday at 11:34 AM

TraderGary said:
I won't argue with what you want to do with your drives and data. We simply differ, that's all.

If your drives are lost or stolen, you don't mind anyone combing through all your stuff.

If my drives are lost or stolen, nobody can comb through all my stuff as it's encrypted.

That was easy, wasn't it?

The point is to not have anything on your drive that you mind anyone combing through, and if you do then don't take it out where you could lose it. You kept saying you're a trader so you have to, but that's not really true. I could leave my laptop in a hotel lobby and just walk away knowing no one can steal my money. Other than some trading software that could be downloaded by anyone, explorer patcher, shut up 10, and a few bookmarks about weather and youtube there is nothing there to get. If you have something on yours to hide, then it's not because you're a trader. Anyway, I'm just saying

Win711 · Sunday at 11:36 AM

kelper said:
I wonder. Here, in the UK, if you put a padlock on your business's van, it advertises that something valuable is inside. Perhaps putting Bitlocker on suggests the laptop contains valuable data!

A long time ago someone told me if I don't want my car broken into then leave the glovebox open to show there is nothing inside to steal.

kelper · Sunday at 11:40 AM

Win711 said:
A long time ago someone told me if I don't want my car broken into then leave the glovebox open to show there is nothing inside to steal.

I knew someone, whose car wasn't worth stealing, who draped a pair of underpants (shorts to Americans) over the steering wheel - complete with a massive skid mark. He never had this car stolen but some wag loosened all the wheerl nuts. As he drove a group of students to college we asked him to stop when the vibration in the back became terrible. Luckily no wheel came off.

TraderGary · Sunday at 2:03 PM

Win711 said:
The point is to not have anything on your drive that you mind anyone combing through, and if you do then don't take it out where you could lose it. You kept saying you're a trader so you have to, but that's not really true. I could leave my laptop in a hotel lobby and just walk away knowing no one can steal my money. Other than some trading software that could be downloaded by anyone, explorer patcher, shut up 10, and a few bookmarks about weather and youtube there is nothing there to get. If you have something on yours to hide, then it's not because you're a trader. Anyway, I'm just saying

Good point. Some people don't have anything of value on their computers.

Bitlocker Security Questions

Well-known member

My Computers

Jack of all trades – master of none

My Computers

Stock Market Wizard

My Computer

Well-known member

My Computers

Active member

My Computer

Stock Market Wizard

My Computer

Active member

My Computer

Stock Market Wizard

My Computer

Active member

My Computer

Stock Market Wizard

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Stock Market Wizard

My Computer

Well-known member

My Computers

Active member

My Computer

Active member

My Computer

Well-known member

My Computers

Stock Market Wizard

My Computer

Similar threads