Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
  • Post
  • Reply
repiv
Aug 13, 2009



College Slice

FunOne posted:

Oh, and I can't setup the fingerprint scanner without also setting a PIN? What the gently caress?

Every device with a fingerprint scanner I've used has had this requirement, because no scanner is 100% reliable

If your finger is damp it probably won't work

Adbot
ADBOT LOVES YOU

Klyith
Aug 3, 2007

GBS Pledge Week


FunOne posted:

At least if the disk is encrypted they have to do some work to guess a passphrase vs. Hey Microsoft please unlock this whole device. I mean, my Google account doesn't unlock my phone. It doesn't even control the encryption.

a. bitlocker by default saves a recovery key to a MS account, but it is optional. the MS account credential is not the same as the bitlocker key.

b. don't get a MS account if you're worried about it

c. your threat model is dumb. encryption is not a defense against the courts because not following court orders is itself a crime.

if you are committing crimes, don't get caught in the first place (or stop committing crimes). if you are innocent, concealing evidence is stupid.

FunOne
Aug 20, 2000
I am a slimey vat of concentrated stupidity



Fun Shoe

corgski posted:

Oh if you're using a fingerprint scanner you may as well enable microsoft account for everything if your concern is really "someone getting a court order to access the computer" since it'll be just as easy for them and it'll save you the indignity of them physically forcing you to scan your fingerprint.

I guess I'm just an idiot for wanting some level of security more than "send all my passwords to Redmond" but below "hard drive buried outside." Maybe I'm not worried about the CIA breaking into my house but I'd kinda like it if Sgt. Pile couldn't root through it.

My phone seems to have figured out this complex set of "ease of use" and "decent security" challenges, but I guess asking the same of a laptop is too much.

FunOne
Aug 20, 2000
I am a slimey vat of concentrated stupidity



Fun Shoe

repiv posted:

Every device with a fingerprint scanner I've used has had this requirement, because no scanner is 100% reliable

If your finger is damp it probably won't work

So why couldn't I just type in my password?

repiv
Aug 13, 2009



College Slice

Oh right, the PIN is separate to the password. Yeah there's no need for that

Flipperwaldt
Nov 11, 2011

Won't somebody think of the starving hamsters in China?



FunOne posted:

Oh, and I can't setup the fingerprint scanner without also setting a PIN? What the gently caress?
The PIN can be 127 characters long and include letters and special characters, if you're worried about it being guessable. But yeah, it's a dumb requirement.

Ghostlight
Sep 25, 2009

Success!



FunOne posted:

So why couldn't I just type in my password?
Because signing in with a password is disabled the moment you enable fingerprint sign-in for the obvious reason that otherwise the fingerprint offers no protection against people stealing your password.

Dylan16807
May 12, 2010


Ghostlight posted:

Because signing in with a password is disabled the moment you enable fingerprint sign-in for the obvious reason that otherwise the fingerprint offers no protection against people stealing your password.
If you're worried about someone stealing your password, shouldn't you be using two-factor?

And now you have no protection against someone stealing your PIN, which is almost always a lot weaker than your password.

Last Chance
Dec 31, 2004



Dylan16807 posted:

If you're worried about someone stealing your password, shouldn't you be using two-factor?

And now you have no protection against someone stealing your PIN, which is almost always a lot weaker than your password.

How does one steal a PIN? Just curious. Should I keep my bank card locked in aluminum foil so no one gets my PIN?

Cardiovorax
Jun 5, 2011
I got chased out of the Monster Hunter thread for garbage posting, now I shit up other Games threads with useless low-effort uninformed aggro noise. I somehow think "VN nerds" are beneath me and I belong on your ignore list.

Last Chance posted:

How does one steal a PIN? Just curious. Should I keep my bank card locked in aluminum foil so no one gets my PIN?
Same as passwords, I'm guessing? Keyloggers, brute force, using social engineering or just figuring out where you've written it down "just in case" and grabbing the paper? Brute force is easier, what with generally being fairly short, but personally, I see local account passwords as kind of comparable to door locks: they're supposed to prevent casual and opportunistic access, not as serious security against anyone with know-how and a dedication to getting at your data. They not really up to that task.

Flipperwaldt
Nov 11, 2011

Won't somebody think of the starving hamsters in China?



Signing in with a password isn't disabled when you're using face recognition with Windows Hello, I can't imagine why it would be different with a fingerprint scanner.

Edit:

First square icon is log in with fingerprint, second with password, third log in with pin.

Flipperwaldt fucked around with this message at 23:09 on Aug 19, 2020

Ghostlight
Sep 25, 2009

Success!



Oh yeah, you're right. I had just turned on Require Windows Hello because see previous reply.

Dylan16807 posted:

If you're worried about someone stealing your password, shouldn't you be using two-factor?

And now you have no protection against someone stealing your PIN, which is almost always a lot weaker than your password.
Fingerprint and PIN is two-factor.

corgski
Feb 6, 2007




FunOne posted:

I guess I'm just an idiot for wanting some level of security more than "send all my passwords to Redmond" but below "hard drive buried outside." Maybe I'm not worried about the CIA breaking into my house but I'd kinda like it if Sgt. Pile couldn't root through it.

A cop can legally force you to unlock any device with your fingerprint during a search. It is in every way less secure than a password. If you want the convenience that's perfectly fine and ok, but even a microsoft account is more secure against your local keystone kop than fingerprint unlock because the state has to request access from a third party that could, theoretically, refuse to comply.

https://news.bloomberglaw.com/priva...onal-judge-says

corgski fucked around with this message at 23:56 on Aug 19, 2020

Medullah
Aug 13, 2003

FEAR MY SHARK ROCKET IT REALLY SUCKS AND BLOWS


I've seen enough movies to know that the bad guys are going to get your fingerprint to unlock things one way or another. Same with retinal scans.

Flipperwaldt
Nov 11, 2011

Won't somebody think of the starving hamsters in China?



Ghostlight posted:

Fingerprint and PIN is two-factor.
It would be if you were asked to provide both each time.

corgski
Feb 6, 2007




Klyith posted:

c. your threat model is dumb.

Really the answer is this. If you want to defend against organized state actors you need to pay someone. If you want to keep Sgt. Porky and the boys down at the precinct from seeing your porn folder during a search at a traffic stop use a good password, bitlocker, and don't use biometrics or cloud authentication. If you want to defend against a random dipshit who wandered past your laptop anything that isn't a password of "password" will work.

doctorfrog
Mar 14, 2007

Great.



corgski posted:

A cop can legally force you to unlock any device with your fingerprint during a search. It is in every way less secure than a password. If you want the convenience that's perfectly fine and ok, but even a microsoft account is more secure against your local keystone kop than fingerprint unlock because the state has to request access from a third party that could, theoretically, refuse to comply.

https://news.bloomberglaw.com/priva...onal-judge-says

Your wording made me think "a cop can do this while searching you." Article seems to say you can be compelled to unlock a device as part of executing a search warrant. The same would apply to a password, wouldn't it?

quote:

Compelling Barrera to use his fingerprint to unlock a device is not self-incriminating testimony under the Fifth Amendment, Harjani said. The procedure of using biometrics to unlock a phone is ďmore akin to a key than a passcode combination,Ē and that the procedure is a physical act, he said.
I completely agree that a biometric lock isn't inherently more secure than a password, but in this case, the password wouldn't offer more protection, except that I guess you could continue to refuse to disclose it, and get like contempt of court (or physically beaten).

It is super possible that I'm not understanding either the article or the hypothetical, though.

corgski
Feb 6, 2007




Itís in your quote from the link, passwords are protected under the 5th amendment, biometrics are not.

Itís a dumb loving distinction but one to keep in mind if your threat model includes pissed off cops.

corgski fucked around with this message at 00:23 on Aug 20, 2020

Klyith
Aug 3, 2007

GBS Pledge Week


doctorfrog posted:

Your wording made me think "a cop can do this while searching you." Article seems to say you can be compelled to unlock a device as part of executing a search warrant. The same would apply to a password, wouldn't it?

I completely agree that a biometric lock isn't inherently more secure than a password, but in this case, the password wouldn't offer more protection, except that I guess you could continue to refuse to disclose it, and get like contempt of court (or physically beaten).

With a search warrant for your computer, the cops can tell you to type in your password (that's compel in a legal sense, not compel as in beat you 'til you give in). If you don't, you may face the consequences of not following a legal search. Currently those consequences are 18 months in jail for contempt of court, if the judge thinks the prosecutors have a good case against you and that the case would be a "forgone conclusion" if you typed in the passwords to decrypt your CP stash.

18 months is a lot lighter sentence than Jared from Subway is serving so that could be considered a good deal, but a better deal is not doing crimes.


OTOH with biometrics, a cop can hold your finger against the reader and there ain't poo poo you can do about it. Agreed it's a dumb distinction, but the legal protection is against self-incrimination. In the fingerprint scenario you aren't doing anything yourself, and the law doesn't consider fingerprints to be an invasion of privacy. They fingerprint you just for being a suspect.

doctorfrog
Mar 14, 2007

Great.



Ok I get the distinction better now, thanks.

I donít have any crimes to hide, and I want the Jareds locked up, but it does bug me that thereís just about nothing that canít be pried into. But itís amusing and somewhat reassuring that a .7z password can be more secure than a fingerprint scanner.

HalloKitty
Sep 30, 2005

Adjust the bass and let the Alpine blast


Ghostlight posted:

Oh yeah, you're right. I had just turned on Require Windows Hello because see previous reply.

Fingerprint and PIN is two-factor.

How? When you fail the fingerprint test, you can just enter a pin. One factor.

Cardiovorax
Jun 5, 2011
I got chased out of the Monster Hunter thread for garbage posting, now I shit up other Games threads with useless low-effort uninformed aggro noise. I somehow think "VN nerds" are beneath me and I belong on your ignore list.

Yeah, it's not two-factor unless it requires you to enter both every time.

Ynglaur
Oct 9, 2013



If you don't trust Redmond to store passwords, you shouldn't be using Windows. Redmond compiles your operating system. They already have root.

FunOne
Aug 20, 2000
I am a slimey vat of concentrated stupidity



Fun Shoe

In summary, a "Microsoft account" login to Windows puts you into the global MSFT AD system, allowing them to credential themselves into your machine as well as remotely revoke those credentials.

It also backs up the local encryption credentials and syncs you desktop "experience".

Downside, if your MSFT account is compromised, you can be locked out of your machine. If your MSFT account is compromised, your local machine also is.

Upside, passwords sync across multiple devices. Find my device functionality. New device experience is much improved. MSFT service settings sync between devices.

Downside, if you've setup your MSFT with 2 factor auth you now have to deal with that on a daily basis.


It looks to me that adding the MSFT account vs. a local account only increases the chances that someone gets into the device for marginal benefits. Anything important is backed up to the cloud, so if I lose the device or the encryption is corrupted I'll just start from a reformat. I generally do not want settings to convey between devices. And I'd rather the online account have a high quality password I don't type in every day.

In addition, enabling any other form of login other than password requires you to set a redundant PIN. Any other password or PIN can then be used to login to the device EVEN after a reboot. No idea why MSFT can't copy the biometric processes used by phones, where a real password is required to authenticate into the device on boot then biometrics can be used afterwards.


I appreciate all the helpful technical advice.

Blue Footed Booby
Oct 4, 2006

got those happy feet




Slippery Tilde

Klyith posted:

With a search warrant for your computer, the cops can tell you to type in your password (that's compel in a legal sense, not compel as in beat you 'til you give in). If you don't, you may face the consequences of not following a legal search. Currently those consequences are 18 months in jail for contempt of court, if the judge thinks the prosecutors have a good case against you and that the case would be a "forgone conclusion" if you typed in the passwords to decrypt your CP stash.

...

Multiple states' supreme courts have ruled that compelling password disclosure violates the fifth amendment. To my knowledge it hasn't gone to SCOTUS but that still means you can't tell people that as blanket advice absent either a specific locality or a federal crime.

tuyop
Sep 14, 2006

Every second that we're not growing BASIL is a second wasted


Fun Shoe

There are also many things that are currently crimes that probably will not always be crimes and telling someone just to "not do crimes" is highly privileged and ignorant of all historical context. Unless you're the kind of champ who would tell a suffragette that if she didn't want to be force-fed she shouldn't have done the crimezzz. Or a black child mauled by a police dog. Indigenous peoples everywhere currently being terrorized by governments. Stuff like that. These fights continue all over the world and strong encryption and security practices have now become necessary to keep activists safe. It's not an option in many cases for them to simply "not do crimes" because those direct actions are how they survive.

Fruits of the sea
Dec 1, 2010


repiv posted:

Every device with a fingerprint scanner I've used has had this requirement, because no scanner is 100% reliable

If your finger is damp it probably won't work

Well thanks, now I know why fingerprint scanners rarely work for me. That's me, the guy with perpetually sweaty hands.

Cardiovorax
Jun 5, 2011
I got chased out of the Monster Hunter thread for garbage posting, now I shit up other Games threads with useless low-effort uninformed aggro noise. I somehow think "VN nerds" are beneath me and I belong on your ignore list.

It also doesn't work well if your fingers are too dry, or too fatty, or if you happen to have a small cut on the tip of the finger that you use for your fingerprint scanner. I don't use it for my PC, but I have the fingerprint unlock activated on my smartphone, and boy can it be finicky. It's why it's a good reason to always register more than one finger and to have a fallback method.

repiv
Aug 13, 2009



College Slice

It does depend on the type of scanner, the ultrasonic ones that e.g. Samsung uses are terrible compared to the capacitive or optical ones

Cardiovorax
Jun 5, 2011
I got chased out of the Monster Hunter thread for garbage posting, now I shit up other Games threads with useless low-effort uninformed aggro noise. I somehow think "VN nerds" are beneath me and I belong on your ignore list.

For something completely different: the Windows 10 2004 update seems to be causing my computer to bluescreen. I never get bluescreens and didn't have anything else running at the time, but just this evening, I've gotten two and both with the same error message about unhandled exceptions in system threads. Does anyone know what might be causing that and how to fix it?

LRADIKAL
Jun 10, 2001

A Very Useful Person



Fun Shoe

You should be able to roll back. Alternatively, if there's an error code, Google it and see if there's a hotfix. Also you can try updating graphics drivers, etc.

Cardiovorax
Jun 5, 2011
I got chased out of the Monster Hunter thread for garbage posting, now I shit up other Games threads with useless low-effort uninformed aggro noise. I somehow think "VN nerds" are beneath me and I belong on your ignore list.

Sorry, I phrased that wrong: trying to apply the 2004 update is what is causing the bluescreen, not the installed update, because I can't actually get that far.

MarcusSA
Sep 23, 2007






Grimey Drawer

Cardiovorax posted:

Sorry, I phrased that wrong: trying to apply the 2004 update is what is causing the bluescreen, not the installed update, because I can't actually get that far.

Hey the 2004 update nuked my drive so at least it hasnít done that to you!

I had to completely wipe the drive and start over fresh.

Nowher
Nov 29, 2019

touching the void


My Win10 system drive on my HTPC is showing some very alarming SMART readings. This system took me forever to set up just right but thankfully my media is stored on separate drives.

What would be the most painless way to clone this drive to a spare SSD and use that as a system drive?

Will this give me issues with my Win10 activation?

tuyop
Sep 14, 2006

Every second that we're not growing BASIL is a second wasted


Fun Shoe

Nowher posted:

My Win10 system drive on my HTPC is showing some very alarming SMART readings. This system took me forever to set up just right but thankfully my media is stored on separate drives.

What would be the most painless way to clone this drive to a spare SSD and use that as a system drive?

Will this give me issues with my Win10 activation?

Macrium Reflect worked great for me. And no.

MarcusSA
Sep 23, 2007






Grimey Drawer

tuyop posted:

Macrium Reflect worked great for me. And no.

Seconding this.

Just make sure to uninstall it when you are done because it has a lot of annoying popups.

Windows question for me. I have a 2 bay NAS that I was using for media storage and it has 8TB of storage that is mostly free. I have 4 windows 10 machines I'd like to start doing (weekly?) backups so if something like what happened before I can just do a restore from one of the backups.

What is the easiest way to have Windows do this? Is there something built in like say Mac Time machine?

Klyith
Aug 3, 2007

GBS Pledge Week


MarcusSA posted:

Windows question for me. I have a 2 bay NAS that I was using for media storage and it has 8TB of storage that is mostly free. I have 4 windows 10 machines I'd like to start doing (weekly?) backups so if something like what happened before I can just do a restore from one of the backups.

What is the easiest way to have Windows do this? Is there something built in like say Mac Time machine?

Windows does have a built-in backup function called file history. Settings -> Update & Security -> Backup. It's not a comprehensive backup -- you can't target windows directories or make a restore-able image -- but it keeps multiple incremental versions and is a good solution for basic backup of important files to a NAS.

If you want complete system backup to make restoring the OS easy if your drive wipes, you'd need something better. (Though I'd say that's a case for a two tier solution -- use macrium or something to make a complete image every so often / before big OS updates, and file history or another backup program for continuous backup of important files.)

MarcusSA
Sep 23, 2007






Grimey Drawer

Klyith posted:

Windows does have a built-in backup function called file history. Settings -> Update & Security -> Backup. It's not a comprehensive backup -- you can't target windows directories or make a restore-able image -- but it keeps multiple incremental versions and is a good solution for basic backup of important files to a NAS.

If you want complete system backup to make restoring the OS easy if your drive wipes, you'd need something better. (Though I'd say that's a case for a two tier solution -- use macrium or something to make a complete image every so often / before big OS updates, and file history or another backup program for continuous backup of important files.)

Ok so Iíd definitely need a third party solution then?

I guess coming from Mac where I can do a restore from a time machine backup windows is a bit lacking in that area.

tuyop
Sep 14, 2006

Every second that we're not growing BASIL is a second wasted


Fun Shoe

MarcusSA posted:

Ok so Iíd definitely need a third party solution then?

I guess coming from Mac where I can do a restore from a time machine backup windows is a bit lacking in that area.

Yeah this isn't something Windows has built in to the level that MacOS does. The good news is that there are a few really good free ones like Macrium or Backupper. I use Macrium and it takes an incremental image every Mon/Wed/Fri morning. It's not quite as seamless to restore as Time Machine but it's close.

If you're looking for a total solution, I use Macrium and File History. Macrium's latest image gets synced to my NAS, encrypted, and then uploaded to an AWS Glacier bucket. File History is useful for the types of files that don't do well in cloud storage (I use it for in-progress Premiere projects and other huge files/folders).

Adbot
ADBOT LOVES YOU

Toast Museum
Dec 3, 2005

30% Iron Chef


MarcusSA posted:

Ok so I’d definitely need a third party solution then?

I guess coming from Mac where I can do a restore from a time machine backup windows is a bit lacking in that area.

The Deployment Image Servicing and Management tool (DISM) is the first-party tool for capturing and applying disk images, if you want to avoid third-party tools. It's definitely not Time Machine, though.

If I had to guess why Windows doesn't have a closer equivalent to Time Machine, I think the uncertainty about hardware is probably a big factor. Trying to apply a backup image to a new computer would have a pretty high chance of issues caused by hardware differences, and from a public perception standpoint, it's probably better to offer nothing than to offer a tool that often fails.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply