Hacker News new | ask | show | jobs
by londons_explore 1798 days ago
I was surprised to find that a modern windows 10 machine (with all default security options) could have the user password bypassed easily with a Windows setup USB.

I could then read all the user's documents.

I thought the point of disk encryption and secure boot was to prevent that. Yet somehow the hole of allowing Windows setup to give you a privileged command prompt with a decrypted disk was never closed...
3 comments
noxer 1798 days ago
You can bypass user login by simply removing the drive and access the data on it. This is not a bug or vulnerability this is completely normal for unencrypted disks.

Default options do not enable any drive encryption Secure boot is as the name says something to make booting secure it has absolutely nothing to do with protecting data on disk from being accessed by someone with physical access to the machine.

link
coliveira 1798 days ago
I guess Windows administrators rely on this. If they close this issue, there will be a huge list of complains that they don't want to deal with.
link
withinboredom 1798 days ago
This is true of just about any OS though. Linux and OSX has/had single user mode, for example.
link
IggleSniggle 1798 days ago
I don’t understand. What’s the point of having an encrypted disk if it can be decrypted by any old USB-loaded OS?
link
selfhoster11 1798 days ago
A user password doesn't enable encryption. Bitlocker or another Full Disk Encryption solution is what you would want to use. If you can see the data, that means it's not encrypted.
link
IggleSniggle 1798 days ago
But doesn’t Windows 10 ship with device encryption? Ie full disk encryption? I thought that’s exactly what this was, which is what I’m not understanding. How can you see data if the device is encrypted?
link
withinboredom 1798 days ago
It isn't enabled by default, you have to turn it on. It also isn't included in the home edition at all.
link
staticman2 1797 days ago
Windows home supports device encryption if you meet certain hardware requirements. (A TPM 2.0 chip, apparently) My laptop doesn't meet those requirements so I've never looked into it further.

Windows pro supports encryption with all hardware.

link