From Newsgroup: alt.comp.os.windows-11

On 21/01/2026 18:32, Maria Sophia wrote:

Brian Gregory wrote:

On 20/01/2026 20:43, Maria Sophia wrote:

Brian Gregory wrote:

Unless you're Jeffrey Epstein, they likely want the hardware, not
the data.

Duh! We're dealing entirely with unlikely situations here. My laptop
isn't stolen regularly, say about once every year.

Stolen laptops, from domestic homes are likely to be quickly sold
for drug money in some back alley to someone who will then have a
long time to go through their contents and work out how to use
anything interesting they find.

I'm making a philosophical point, which is who needs marketing gimmicks? >>>
I've never been 'burgled' but if I was, my passwords are in
KeepassXC, and
my financial data is in veracrypt containers, so all they get are my
pics.

Which is the key point, really...
We don't *need* silly marketing security (e.g., biometric gimmicks)
for a
home computer as long as we don't live in the slums... :)

You don't need to leave the blank checks in you checkbook (did I spell
it the correct way for you US types?) unsigned. But I bet you do.

If we live in the slums, then by all means, we need those silly
marketing
gimmicks, and, unfortunately, on iOS devices, the gimmicks are required.

Unlike in the USA, there don't seem to be many slums left in my country.

I have pictures of the children of relatives. They would be unhappy if
I said some random thief had these pictures and I totally understand
why, when you hear what paedophiles have been known to use them for,
or even just what Grok lets you do with them.

Hi Brian,
We can delve deeper into edge cases, but the main question was whether a
home user needs BIOS passwords on a Windows system. My view
is that BIOS passwords may not protect the data that actually matters.

Some important data on a typical Windows laptop that needs protection are passwords and financial or medical records which I focused upon, although pictures and anything else can be added into that category if you like.
Those are likely stored in encrypted containers if you use tools like Veracrypt and KeepassXC (although I'd have to check how to automate that
for photos). While that is partial encryption, not full disk encryption, my observation is that it may be enough for most home users because the sensitive material is isolated without having to enter a password (or biometric marketing gimmicks) constantly, every day of the year.

A BIOS password does not protect any of that (AFAIK). A thief can remove
the drive and read it. Biometrics do not protect it either. They only
unlock the Windows session. Once the drive is out of the laptop, the biometric layer is irrelevant (AFAIK).

So my practical Windows security model for a home environment is this:

1. Encrypt the small amount of data that actually matters, such as
passwords and financial records.
2. Keep that data in Veracrypt containers or a password manager.
3. Do not rely on BIOS passwords or biometrics to protect data on a
stolen device because they do not address that threat.

Biometric marketing gimmicks solve a convenience problem, not a data protection problem. If we have a real fear of the people around us, that is
a different threat model, but most home users do not need that level of control (IMHO) in terms of the frequency of passwords they enter.

But it's unrealistic to expect anyone but an expert to install and use Veracrypt containers, it's also largely unrealistic to expect them to
keep absolutely everything always in it's designated place, encrypted or unencrypted as appropriate.

I get that BIOS password doesn't add any real protection but why object
to it so much? It's another thing that any hacker will need to get
around before they can run any hacking tool on a PC.

I also do not see why you regard biometric security as a gimmick. It's
dirt cheap now (cost me £12 to add a fingerprint reader to my desktop
PC) and works fairly well, and seems to err firmly towards rejecting
fingers that don't match exactly rather than accepting anything vaguely
like my finger. On cold days I even need to warm my finger before
there's any hope of it matching how it looked to the scanner on a hot day.
--
Brian Gregory (in England).
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

Brian Gregory <void-invalid-dead-dontuse@email.invalid> wrote:

On 21/01/2026 18:32, Maria Sophia wrote:

So my practical Windows security model for a home environment is this:

1. Encrypt the small amount of data that actually matters, such as
passwords and financial records.
2. Keep that data in Veracrypt containers or a password manager.
3. Do not rely on BIOS passwords or biometrics to protect data on a
stolen device because they do not address that threat.

Biometric marketing gimmicks solve a convenience problem, not a data
protection problem. If we have a real fear of the people around us, that is >> a different threat model, but most home users do not need that level of
control (IMHO) in terms of the frequency of passwords they enter.

But it's unrealistic to expect anyone but an expert to install and use Veracrypt containers, it's also largely unrealistic to expect them to
keep absolutely everything always in it's designated place, encrypted or unencrypted as appropriate.

I get that BIOS password doesn't add any real protection but why object
to it so much? It's another thing that any hacker will need to get
around before they can run any hacking tool on a PC.

I also do not see why you regard biometric security as a gimmick. It's
dirt cheap now (cost me £12 to add a fingerprint reader to my desktop
PC) and works fairly well, and seems to err firmly towards rejecting
fingers that don't match exactly rather than accepting anything vaguely
like my finger. On cold days I even need to warm my finger before
there's any hope of it matching how it looked to the scanner on a hot day.

It's simply best to ignore "Maria". He largely makes sense to only himself.



--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

Frank Slootweg wrote:

What is your recommendation for privacy on a computer, Frank?

Non-response to my arguments, etc. duly noted.

I am focusing only on technical points relevant to providing advice to
computer users who wish to benefit from the knowledge we are sharing in
this thread.

To answer your question: You probably mean measures to limit the consequences of bad actors having physical access to your (Windows)
computer or stealing it, as that's the context of this thread. "privacy
on a computer" is *way* too wide/unspecific/ambiguous/<whatever>.

You are correct. We're assuming a daily boot of a Windows PC with a local account (whether Windows 11 or Windows 10) and people you trust in the home
and we're assuming the rare happenstance of a burglar with physical access.

Note: Windows FDE is Bitlocker, so that is the default interpretation.

That said, my - rather obvious - recommendations are: A boot password, sign-in protection (password or/and other) and - if needed/practical - Windows' FDE or similar.

Thank you for outlining your model to contrast with mine, where we each optimized the threat protection in reasonably different manners.

I. Frank's proposed security model is system centric & labor intensive.
II. The model I suggest is data centric & optimized for convenience.

Since the goal is for others to learn from our technical conversation
here is a point-by-point summary of the two threat models we proposed.

A. Threat model
1. FS assumes OS level FDE (Bitlocker) protection is required.
2. MS assume only specific data stores need protection.

B. Boot process
1. FS uses a boot password and sign in protection.
2. MS uses no boot password and no sign in password.

C. Disk protection
1. FS uses Windows FDE so the entire volume is encrypted at rest.
2. MS uses Veracrypt for financial data & KeePassDX for passwords.

D. Forensic residue
1. FS's model encrypts swap, temp files, hibernation files & caches.
2. MS's model protects encrypted containers leaving OS residue readable.

E. Convenience
1. FS accepts daily friction at boot & sign in.
2. MS eliminates friction at boot & sign in by only unlocking
containers when needed (which the user may unlock only occasionally).

F. Cloud identity
1. FS's model can run without a Microsoft account but if Windows FDE
is used then recovery material must be stored offline by the user.
2. MS's model uses no OS level encryption so no recovery keys exist
and no cloud identity is ever needed at any time (by design).

G. Physical theft
1. FS's model forces the attacker to defeat FDE for all access.
2. MS's model exposes OS data but protects financial & passwd data.

H. Family access
1. FS's model blocks family members without credentials.
2. MS's model allows family access but keeps sensitive data encrypted.

Summary
1. FS's model maximizes system level protection & minimizes leakage.
But at the cost of daily convenience.
2. Ms's model maximizes daily convenience by protecting data chosen
to encrypt (which the user may unlock only occasionally).
--
On Usenet, old men discuss topics that they've thought about for decades.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

Chris wrote:

Brian Gregory <void-invalid-dead-dontuse@email.invalid> wrote:

On 21/01/2026 18:32, Maria Sophia wrote:

So my practical Windows security model for a home environment is this:

1. Encrypt the small amount of data that actually matters, such as
passwords and financial records.
2. Keep that data in Veracrypt containers or a password manager.
3. Do not rely on BIOS passwords or biometrics to protect data on a
stolen device because they do not address that threat.

Biometric marketing gimmicks solve a convenience problem, not a data
protection problem. If we have a real fear of the people around us, that is >>> a different threat model, but most home users do not need that level of
control (IMHO) in terms of the frequency of passwords they enter.

But it's unrealistic to expect anyone but an expert to install and use
Veracrypt containers, it's also largely unrealistic to expect them to
keep absolutely everything always in it's designated place, encrypted or
unencrypted as appropriate.

I get that BIOS password doesn't add any real protection but why object
to it so much? It's another thing that any hacker will need to get
around before they can run any hacking tool on a PC.

I also do not see why you regard biometric security as a gimmick. It's
dirt cheap now (cost me £12 to add a fingerprint reader to my desktop
PC) and works fairly well, and seems to err firmly towards rejecting
fingers that don't match exactly rather than accepting anything vaguely
like my finger. On cold days I even need to warm my finger before
there's any hope of it matching how it looked to the scanner on a hot day.

It's simply best to ignore "Maria". He largely makes sense to only himself.

Hi Brian and Chris,

Until/unless Chris proposes a security model for us to discuss like Brian & Frank kindly did, it's not appropriate for me to respond to Chris'
incessant personal attacks which add no value to this technical discussion.

Hence, I will stay focused on the technical points since the goal of this thread is to compare practical Windows security models for home users.

Brian, you raised two reasonable concerns. The first is whether most
home users can manage Veracrypt or similar tools. The second is whether
BIOS passwords or biometrics add meaningful protection.

On the first point, any model requires some discipline. That includes
full disk encryption, container based encryption, or any hybrid. My view
is that most home users have a small amount of data that actually
matters, such as passwords and financial or medical records. Those items
can be isolated in a container or password manager without requiring the
user to enter credentials every day. That is the convenience tradeoff I
am optimizing for since my model is highly optimized for convenience.

On the second point, a BIOS password does not protect data on a stolen
device because the drive can be removed and read. Biometrics unlock the
Windows session but do not protect the drive once it is removed. They
solve a convenience problem, not a data at rest problem. That is why I
focus on encrypting the specific data stores that matter.

On biometrics, a key point is that they do not protect data at rest.
A fingerprint or face scan unlocks the Windows session, but once the
drive is removed from the laptop the biometric layer is irrelevant. The
data on the drive is readable unless it is encrypted. Biometrics solve a convenience problem for sign in, not a data protection problem for a
stolen device. That is why I treat them more as a marketing gimmick rather
than a security control for data at rest.

Chris, if you disagree with my model, that is fine. Instead of comments
about me, it would help the thread if you outlined your own Windows
security model for a home environment, the same way Frank and I did.
That way readers can compare the assumptions, the threat models, and the tradeoffs.

My model is simple and well thought out to be optimized for convenience.
1. Encrypt the small amount of data that matters.
2. Keep it in Veracrypt containers or a password manager.
3. Do not rely on BIOS passwords or biometrics for data at rest.
4. Optimize for convenience during daily use.

Frank's model is different from mine in being system centric.
My model is data centric. If Chris would like to propose a third
model, it would be useful to describe it so others can evaluate the
technical merits.
--
On Usenet old men discuss problems they've solved over the decades.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

Maria Sophia <mariasophia@comprehension.com> wrote:

Frank Slootweg wrote:

What is your recommendation for privacy on a computer, Frank?

[...]

To answer your question: You probably mean measures to limit the consequences of bad actors having physical access to your (Windows) computer or stealing it, as that's the context of this thread. "privacy
on a computer" is *way* too wide/unspecific/ambiguous/<whatever>.

You are correct. We're assuming a daily boot of a Windows PC with a local account (whether Windows 11 or Windows 10) and people you trust in the home and we're assuming the rare happenstance of a burglar with physical access.

You're making a number of essential mistakes.

For sensible people, there *is* no such thing as "a daily boot". The
system is active or sleeps (Modern Standby) or is hibernated. A 'boot', actually a 'Restart' is only needed once a month at Windows Update time,
if that often.

Note: Windows FDE is Bitlocker, so that is the default interpretation.

No, Windows FDE is only Bitlocker on Windows Professional, etc. On
Windows Home, it's (Settings -> Privacy & Security ->) 'Device
encryption', sort of Bitlocker Lite.

That said, my - rather obvious - recommendations are: A boot password, sign-in protection (password or/and other) and - if needed/practical - Windows' FDE or similar.

Thank you for outlining your model to contrast with mine, where we each optimized the threat protection in reasonably different manners.

I. Frank's proposed security model is system centric & labor intensive.

Nope, it's not "labor intensive" at all. Set up once and forget.

II. The model I suggest is data centric & optimized for convenience.

Yes, it's data centric, but anything *but* convenient, for reasons
others have already pointed out. More below.

Since the goal is for others to learn from our technical conversation
here is a point-by-point summary of the two threat models we proposed.

A. Threat model
1. FS assumes OS level FDE (Bitlocker) protection is required.

No, I said as needed/practical and *if* used, it's 'Device encryption'
not full Bitlocker.

2. MS assume only specific data stores need protection.

B. Boot process
1. FS uses a boot password and sign in protection.
2. MS uses no boot password and no sign in password.

C. Disk protection
1. FS uses Windows FDE so the entire volume is encrypted at rest.
2. MS uses Veracrypt for financial data & KeePassDX for passwords.

D. Forensic residue
1. FS's model encrypts swap, temp files, hibernation files & caches.
2. MS's model protects encrypted containers leaving OS residue readable.

E. Convenience
1. FS accepts daily friction at boot & sign in.

No, no daily bootup and no, no 'friction'. See what the (Settings ->
Accounts ->) 'Sign-in options' *really* offer. It can be as little as absolutely no action, or just one tap.

2. MS eliminates friction at boot & sign in by only unlocking
containers when needed (which the user may unlock only occasionally).

Which is much, much more 'work' than my setup would ever require.

F. Cloud identity
1. FS's model can run without a Microsoft account but if Windows FDE
is used then recovery material must be stored offline by the user.

No, Windows' 'Device encryption' doesn't require the user to keep a
recovery key. The user *can* do so, to protect against a computer
hardware failure.

2. MS's model uses no OS level encryption so no recovery keys exist
and no cloud identity is ever needed at any time (by design).

Then where *do* you keep your passwords to unlock your containers?

G. Physical theft
1. FS's model forces the attacker to defeat FDE for all access.
2. MS's model exposes OS data but protects financial & passwd data.

H. Family access
1. FS's model blocks family members without credentials.

True, but, as explained above, those 'credentials' are a non-issue.

2. MS's model allows family access but keeps sensitive data encrypted.

Summary
1. FS's model maximizes system level protection & minimizes leakage.
But at the cost of daily convenience.

No, as explained, when properly set up, there is very little to no inconvience.

2. Ms's model maximizes daily convenience by protecting data chosen
to encrypt (which the user may unlock only occasionally).

My summary: You're of course entitled to use your system as you see
fit and so do I/others. But you methods are not 'better', i.e. have only advantages and not a single disadavantage, nor are mine. They just are different, that's all. 'Better' does not exist, not in this case and not
in any other case.

--
On Usenet, old men discuss topics that they've thought about for decades.

Well, it didn't take *me* all that long, a few hours perhaps! :-)
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 2026/1/22 8:55:19, Daniel70 wrote:

On 22/01/2026 7:10 am, Andy Burns wrote:

Daniel70 wrote:

Chris wrote:

What house in any decent area doesn't have jewellery?

Mine .... but then, I don't have a Misses, either! ;-P

A nice watch?

Who needs a Watch .... when I've got my 'phone'?? ;-P

I can glance at my wrist (cheap blue plastic CASIO - had it for years)
far more quickly than I could at a 'phone, if I had one (and both my
hands are free, too). Plus, if I _had_ a smartphone, I'd presumably
mostly be doing something with it (if not, why have one?), so would have
to change/minimise to see the clock (or peer at tiny digits along the
edge of the display).
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()ALIS-Ch++(p)Ar++T+H+Sh0!:`)DNAf

From Newsgroup: alt.comp.os.windows-11

On Thu, 22 Jan 2026 07:46:17 +0000, Graham J wrote:

Paul wrote:

[snip]

It's the same with some city employees, you can hear

household noises where they are.

By contrast, if you can hear "office" noises then it's a spammer calling
you ...

I have gotten such calls. Junk callers usually don't leave messages, but I
got one yesterday where the ENTIRE message was a bit of garbled sound that could be half a word (I have no idea what word) or just shuffling papers.
--
Mark Lloyd
http://notstupid.us/

"If at first you don't succeed, look at it this way - you failed."
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On Thu, 22 Jan 2026 20:24:20 +0000, J. P. Gilliver wrote:

On 2026/1/22 8:55:19, Daniel70 wrote:

On 22/01/2026 7:10 am, Andy Burns wrote:

Daniel70 wrote:

Chris wrote:

What house in any decent area doesn't have jewellery?

Mine .... but then, I don't have a Misses, either! ;-P

A nice watch?

Who needs a Watch .... when I've got my 'phone'?? ;-P

I can glance at my wrist (cheap blue plastic CASIO - had it for years)
far more quickly than I could at a 'phone, if I had one (and both my
hands are free, too).

Yes, its faster. Also I find digital faster too. I can look at the digital clock here and have the time almost as fast as my eyes can focus. An
analog clock takes longer to read. Some people claim an analog clock is
better for fuzzy (approximate) time. I prefer to do my own fuzzing (like saying "it's about four" when the time is 4:06).

Plus, if I _had_ a smartphone, I'd presumably
mostly be doing something with it (if not, why have one?), so would have
to change/minimise to see the clock (or peer at tiny digits along the
edge of the display).

--
Mark Lloyd
http://notstupid.us/

"If at first you don't succeed, look at it this way - you failed."
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

Frank Slootweg wrote:

Maria Sophia <mariasophia@comprehension.com> wrote:

Frank Slootweg wrote:

What is your recommendation for privacy on a computer, Frank?

[...]

To answer your question: You probably mean measures to limit the
consequences of bad actors having physical access to your (Windows)
computer or stealing it, as that's the context of this thread. "privacy
on a computer" is *way* too wide/unspecific/ambiguous/<whatever>.

You are correct. We're assuming a daily boot of a Windows PC with a local
account (whether Windows 11 or Windows 10) and people you trust in the home >> and we're assuming the rare happenstance of a burglar with physical access.

You're making a number of essential mistakes.

For sensible people, there *is* no such thing as "a daily boot". The
system is active or sleeps (Modern Standby) or is hibernated. A 'boot', actually a 'Restart' is only needed once a month at Windows Update time,
if that often.

Note: Windows FDE is Bitlocker, so that is the default interpretation.

No, Windows FDE is only Bitlocker on Windows Professional, etc. On
Windows Home, it's (Settings -> Privacy & Security ->) 'Device
encryption', sort of Bitlocker Lite.

That said, my - rather obvious - recommendations are: A boot password, >>> sign-in protection (password or/and other) and - if needed/practical -
Windows' FDE or similar.

Thank you for outlining your model to contrast with mine, where we each
optimized the threat protection in reasonably different manners.

I. Frank's proposed security model is system centric & labor intensive.

Nope, it's not "labor intensive" at all. Set up once and forget.

II. The model I suggest is data centric & optimized for convenience.

Yes, it's data centric, but anything *but* convenient, for reasons
others have already pointed out. More below.

Since the goal is for others to learn from our technical conversation
here is a point-by-point summary of the two threat models we proposed.

A. Threat model
1. FS assumes OS level FDE (Bitlocker) protection is required.

No, I said as needed/practical and *if* used, it's 'Device encryption'
not full Bitlocker.

2. MS assume only specific data stores need protection.

B. Boot process
1. FS uses a boot password and sign in protection.
2. MS uses no boot password and no sign in password.

C. Disk protection
1. FS uses Windows FDE so the entire volume is encrypted at rest.
2. MS uses Veracrypt for financial data & KeePassDX for passwords.

D. Forensic residue
1. FS's model encrypts swap, temp files, hibernation files & caches.
2. MS's model protects encrypted containers leaving OS residue readable. >>
E. Convenience
1. FS accepts daily friction at boot & sign in.

No, no daily bootup and no, no 'friction'. See what the (Settings -> Accounts ->) 'Sign-in options' *really* offer. It can be as little as absolutely no action, or just one tap.

2. MS eliminates friction at boot & sign in by only unlocking
containers when needed (which the user may unlock only occasionally).

Which is much, much more 'work' than my setup would ever require.

F. Cloud identity
1. FS's model can run without a Microsoft account but if Windows FDE
is used then recovery material must be stored offline by the user.

No, Windows' 'Device encryption' doesn't require the user to keep a recovery key. The user *can* do so, to protect against a computer
hardware failure.

2. MS's model uses no OS level encryption so no recovery keys exist
and no cloud identity is ever needed at any time (by design).

Then where *do* you keep your passwords to unlock your containers?

G. Physical theft
1. FS's model forces the attacker to defeat FDE for all access.
2. MS's model exposes OS data but protects financial & passwd data.

H. Family access
1. FS's model blocks family members without credentials.

True, but, as explained above, those 'credentials' are a non-issue.

2. MS's model allows family access but keeps sensitive data encrypted.

Summary
1. FS's model maximizes system level protection & minimizes leakage.
But at the cost of daily convenience.

No, as explained, when properly set up, there is very little to no inconvience.

2. Ms's model maximizes daily convenience by protecting data chosen
to encrypt (which the user may unlock only occasionally).

My summary: You're of course entitled to use your system as you see
fit and so do I/others. But you methods are not 'better', i.e. have only advantages and not a single disadavantage, nor are mine. They just are different, that's all. 'Better' does not exist, not in this case and not
in any other case.

Hi Frank,

This discussion is welcome because it compares very different use models.

To that end, thank you for the clarifications about Device Encryption on
Home versus Bitlocker on Pro. That helps narrow the terminology since you didn't specify what FDE you were suggesting.

My usage pattern is different from yours perhaps because my hardware is
from 2009 and does not wake reliably from sleep or hibernation, so daily shutdown is normal for me. I understand that many people use Modern Standby instead, but my model is based on my own workflow which is perfectly valid.

Regarding wake credentials, many users still type a password or PIN when
the system wakes. I never type a password upon booting as I avoid that
constant friction by not using a local password at all. My threat model
assumes trusted people in the home and focuses on protecting only specific
data stores, which are infrequently accessed.

About recovery keys, AFAIK, Device Encryption may not require the user to
store one manually, but it still ties recovery to Microsoft infrastructure unless the user intervenes by taking deliberate steps to prevent the
default behavior. My approach avoids that by not using OS level encryption.

AFAIK, Windows Device Encryption on Home automatically backs up the
recovery key to the user's Microsoft account unless the user actively stops
it. That default behavior is what ties recovery to Microsoft
infrastructure.

The passwords for my encrypted containers are stored in KeePassDX inside
an encrypted database that is backed up offline. So the container keys
are not tied to a cloud identity. The only passwd I need to know is that to
the KeepassDX database, but in general, I remember my encrypted volume passwords so I don't need to access the backup inside the keepass db.

I appreciate that you fleshed out your suggested model where we're all
still waiting for Chris' response to the same query.

Given what we've compared I agree that neither model is universally better since mine is designed for minimum friction and yours is designed for a far greater threat model than I feel at my home in the Santa Cruz Mountains.

I'm sure a burglary happens where I live, but I have no experience with it
and I don't need to add a dozen locks to my doors that have to be opened
all day, every day. I prefer simply to lock the shed where I keep my tools,
and then, once a week or so, I can go to the trouble to unlock it then.

Your model, while tolerating more friction, also maximizes
system level protection with minimal daily interaction. My model
maximizes convenience by encrypting only the data I consider sensitive.

Both approaches are valid depending on hardware age, habits and
tolerance for friction. I have no tolerance for extra steps.

It's why all my commands are a single step on both Windows and Android.
--
If it takes two steps to do something on a computer, cut it in half.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 23/01/2026 7:24 am, J. P. Gilliver wrote:

On 2026/1/22 8:55:19, Daniel70 wrote:

On 22/01/2026 7:10 am, Andy Burns wrote:

Daniel70 wrote:

Chris wrote:

What house in any decent area doesn't have jewellery?

Mine .... but then, I don't have a Misses, either! ;-P

A nice watch?

Who needs a Watch .... when I've got my 'phone'?? ;-P

I can glance at my wrist (cheap blue plastic CASIO - had it for
years)

Almost forty years ago, my mother gave me a fancy Wristwatch for my 21st Birthday and, about a fortnight later, I made the mistake of wearing it
during Rifle Drill (I was in the Army) and scratched the hell out of the
glass face .... so that was the end of wearing my watch, at least for
part of my TIME .... especially as I worked in an Army Communications
Station .... so there were clocks all over the place.

far more quickly than I could at a 'phone, if I had one (and both my
hands are free, too).

About fifteen years later (early 90's, I think), I was travelling down
Major Highway to see Family .... and my Car broke down .... so it was a
couple of kilometres (each way) walk to the "Roadside Assistance" phone.

Soon after, I brought my first Mobile Phone.

Plus, if I _had_ a smartphone, I'd presumably mostly be doing
something with it (if not, why have one?),

For EMERGENCIES!! RE-read my last para!! ;-)

so would have to change/minimise to see the clock (or peer at tiny
digits along the edge of the display).

Having been in the Army, where you could get into trouble for not being
where you are supposed to be WHEN you are supposed to be there .... so I usually have my Car clock set three to five minutes fast .... you know.
just in case!! (even having been out of the Army over thirty years)
--
Daniel70
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 22/01/2026 6:46 pm, Graham J wrote:

Paul wrote:

[snip]

 It's the same with some city employees, you can hear

household noises where they are.

By contrast, if you can hear "office" noises then it's a spammer calling
you ...

I moved into this house about Ten years ago and, for some reason or
other, the Phone Landline socket is positioned on the far wall of the
main bedroom.

I don't know about you but I don't spend much time in my Bedroom ....
except when I'm sleeping .... so, after rushing from the Loungeroom to
the Bedroom when the phone rang .... only to find it was a Spammer
calling, I brought myself a Cordless phone with Answer machine built
into the Base station .... so, if the phone rings, I let the Answer
machine do its job .... and, usually, by the time the Answer machines
Welcome message has finished, the caller has hung up.

Job Done!! ;-P
--
Daniel70
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 23/01/2026 8:17 pm, Daniel70 wrote:

On 23/01/2026 7:24 am, J. P. Gilliver wrote:

On 2026/1/22 8:55:19, Daniel70 wrote:

On 22/01/2026 7:10 am, Andy Burns wrote:

Daniel70 wrote:

Chris wrote:

What house in any decent area doesn't have jewellery?

Mine .... but then, I don't have a Misses, either! ;-P

A nice watch?

Who needs a Watch .... when I've got my 'phone'?? ;-P

I can glance at my wrist (cheap blue plastic CASIO - had it for
years)

Almost forty years ago,

Opps!! S/forty years ago/fifty years ago

my mother gave me a fancy Wristwatch for my 21st Birthday and, about
a fortnight later, I made the mistake of wearing it during Rifle
Drill (I was in the Army) and scratched the hell out of the glass
face .... so that was the end of wearing my watch, at least for part
of my TIME .... especially as I worked in an Army Communications
Station .... so there were clocks all over the place.

far more quickly than I could at a 'phone, if I had one (and both
my hands are free, too).

About fifteen years later (early 90's, I think), I was travelling
down Major Highway to see Family .... and my Car broke down .... so
it was a couple of kilometres (each way) walk to the "Roadside
Assistance" phone.

Soon after, I brought my first Mobile Phone.

Plus, if I _had_ a smartphone, I'd presumably mostly be doing
something with it (if not, why have one?),

For EMERGENCIES!! RE-read my last para!! ;-)

so would have to change/minimise to see the clock (or peer at tiny
digits along the edge of the display).

Having been in the Army, where you could get into trouble for not
being where you are supposed to be WHEN you are supposed to be there
.... so I usually have my Car clock set three to five minutes fast
.... you know. just in case!! (even having been out of the Army over
thirty years)

--
Daniel70
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

Maria Sophia <mariasophia@comprehension.com> wrote:
[...]

Hi Frank,

This discussion is welcome because it compares very different use models.

[...]

My usage pattern is different from yours perhaps because my hardware is
from 2009 and does not wake reliably from sleep or hibernation, so daily shutdown is normal for me.

That makes sensw, but it allso means that you spend more time per day
on shutting down and booting up, than I could possibly ever spend on
needing to 'enter' credentials or otherwise unlok things! :-)

[...]

About recovery keys, AFAIK, Device Encryption may not require the user to store one manually, but it still ties recovery to Microsoft infrastructure unless the user intervenes by taking deliberate steps to prevent the
default behavior. My approach avoids that by not using OS level encryption.

AFAIK, Windows Device Encryption on Home automatically backs up the
recovery key to the user's Microsoft account unless the user actively stops it. That default behavior is what ties recovery to Microsoft
infrastructure.

Windows Device Encryption also works with a local account. I only have
a local account and don't have a Microsoft Account. I believe the key is
stored in the machine's BIOS or similar, hence my comment on saving the
key somewhere locally in case the machine has a fatal hardware failure.

The passwords for my encrypted containers are stored in KeePassDX inside
an encrypted database that is backed up offline. So the container keys
are not tied to a cloud identity. The only passwd I need to know is that to the KeepassDX database, but in general, I remember my encrypted volume passwords so I don't need to access the backup inside the keepass db.

Yes, but you *do* need to enter (or auto-fill) those passwords when
you 'open' your containers. That may well be way more effort than the occasional screen-unlock that I might have to do. (Note: Screen-unlock,
not Sign-in, because I never sign-out, unless I have to for some
uncommon reason.) Note: *I* don't consider any of this any effort at
all, but as you do, I describe the difference between your and my way of
doing things.

Given what we've compared I agree that neither model is universally better since mine is designed for minimum friction and yours is designed for a far greater threat model than I feel at my home in the Santa Cruz Mountains.

I'm sure a burglary happens where I live, but I have no experience with it and I don't need to add a dozen locks to my doors that have to be opened
all day, every day. I prefer simply to lock the shed where I keep my tools, and then, once a week or so, I can go to the trouble to unlock it then.

I am also not afraid of my system getting stolen from our house, but
it is a laptop which regularly travels outside our house and there it's
way more prone to being stolen/lost/damaged. In contrast, my wife's
system is a 'desktop' (actually a Mini-PC) and that does not have a
bootup password, no Sign-in/Unlock password and no encryption of any
kind.

[...]

Both approaches are valid depending on hardware age, habits and
tolerance for friction. I have no tolerance for extra steps.

I also have no tolerance for extra steps, that's why we live in a
one-level appartment! :-)

[...]

--
If it takes two steps to do something on a computer, cut it in half.

Isn't that a waste of a probably perfectly good computer! :-)
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 2026/1/23 11:19:59, Daniel70 wrote:

On 23/01/2026 8:17 pm, Daniel70 wrote:

On 23/01/2026 7:24 am, J. P. Gilliver wrote:

On 2026/1/22 8:55:19, Daniel70 wrote:

[]

Who needs a Watch .... when I've got my 'phone'?? ;-P

I can glance at my wrist (cheap blue plastic CASIO - had it for
years)

Almost forty years ago,

Opps!! S/forty years ago/fifty years ago

my mother gave me a fancy Wristwatch for my 21st Birthday and, about
a fortnight later, I made the mistake of wearing it during Rifle
Drill (I was in the Army) and scratched the hell out of the glass
face .... so that was the end of wearing my watch, at least for part
of my TIME .... especially as I worked in an Army Communications
Station .... so there were clocks all over the place.

far more quickly than I could at a 'phone, if I had one (and both
my hands are free, too).

About fifteen years later (early 90's, I think), I was travelling
down Major Highway to see Family .... and my Car broke down .... so
it was a couple of kilometres (each way) walk to the "Roadside
Assistance" phone.

Soon after, I brought my first Mobile Phone.

Plus, if I _had_ a smartphone, I'd presumably mostly be doing
something with it (if not, why have one?),

For EMERGENCIES!! RE-read my last para!! ;-)

Yes, I have a mobile 'phone, for exactly that - in case of car
breakdown. But it truly _is_ for emergencies: I have a PAYG contract, or
more or less as near as I could get - the words "per month" are _not_
involved. Actually what I've got is better suited for that use: rather
than several tens of pence per minute, it costs me 2 pounds _if_ I use
it, but I then get unlimited calls for the rest of that day, which would probably be useful for a remote breakdown. [Hasn't happened since I
preloaded it.])

But now _you_ re-read what I said: SMARTphone. The one I have - I think
it's Nokia; was the only one I could find without a camera, which was a requirement at the time I bought it. I charge it once a week, though the
little symbol implies it's only a third discharged (I do leave it on).
[Don't most smartphones last 2-3 days at most?] If I _had_ a smartphone,
then presumably most of the time I would be doing something with it,
else why have one?

so would have to change/minimise to see the clock (or peer at tiny
digits along the edge of the display).

Having been in the Army, where you could get into trouble for not
being where you are supposed to be WHEN you are supposed to be there

(I have suffered slightly career-wise from _not_ being punctual - and
mine _wasn't_ in the services!)

.... so I usually have my Car clock set three to five minutes fast
.... you know. just in case!! (even having been out of the Army over
thirty years)

Doesn't setting it fast cease to work after a short time, though,
because you _know_ it's set fast?
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()ALIS-Ch++(p)Ar++T+H+Sh0!:`)DNAf

"...told me to connect with the electorate, and I did!" John Prescott
on having punched the man who threw an egg at him (Top Gear, 2011-2-28)
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 2026/1/23 9:26:42, Daniel70 wrote:

[]

I moved into this house about Ten years ago and, for some reason or
other, the Phone Landline socket is positioned on the far wall of the
main bedroom.

I don't know about you but I don't spend much time in my Bedroom ....
except when I'm sleeping .... so, after rushing from the Loungeroom to
the Bedroom when the phone rang .... only to find it was a Spammer
calling, I brought myself a Cordless phone with Answer machine built
into the Base station .... so, if the phone rings, I let the Answer
machine do its job .... and, usually, by the time the Answer machines Welcome message has finished, the caller has hung up.

Job Done!! ;-P

I have a (corded, as it happens) 'phone at my elbow, so answer almost immediately (startles some callers!); however, especially around 10:30am
which seems to be peak phishtime, I don't actually _say_ anything for a
few seconds; the same applies - the autodialler (or whatever) gives up.
(A real caller will usually say something in that time.)
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()ALIS-Ch++(p)Ar++T+H+Sh0!:`)DNAf

You can't abdicate and eat it
- attributed to Wallis Simpson, in Radio Times 14-20 January 2012.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

Frank Slootweg wrote on 1/23/2026 8:18 AM:

Maria Sophia <mariasophia@comprehension.com> wrote:

AFAIK, Windows Device Encryption on Home automatically backs up the
recovery key to the user's Microsoft account unless the user actively stops >> it. That default behavior is what ties recovery to Microsoft
infrastructure.

Windows Device Encryption also works with a local account. I only have
a local account and don't have a Microsoft Account. I believe the key is stored in the machine's BIOS or similar, hence my comment on saving the
key somewhere locally in case the machine has a fatal hardware failure.

Windows Home Device Encryption when enabled
- first looks to store the key in the MSFT account that was initially
used to setup(first use) the device even if that MSFT account was
switched to a local logon. If not setup with a MSFT account or MSFT
account no longer present on device, the only options for the user to
obtain the key are - Save to USB, copy to paper, copy and save to text file.
- the key itself for validation purposes is stored on the device, but
not in readable or accessible form.
--
...w¡ñ§±¤ñ
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 22/01/2026 15:59, Maria Sophia wrote:

On biometrics, a key point is that they do not protect data at rest.
A fingerprint or face scan unlocks the Windows session, but once the
drive is removed from the laptop the biometric layer is irrelevant. The
data on the drive is readable unless it is encrypted. Biometrics solve a convenience problem for sign in, not a data protection problem for a
stolen device. That is why I treat them more as a marketing gimmick rather than a security control for data at rest.

Obviously biometrics are not something you add to add protection.
They simply avoid you having to type a password or PIN.

The hope is you can have your PC lock itself more often without it
causing any annoyance.

My model is simple and well thought out to be optimized for convenience.
1. Encrypt the small amount of data that matters.
2. Keep it in Veracrypt containers or a password manager.
3. Do not rely on BIOS passwords or biometrics for data at rest.
4. Optimize for convenience during daily use.

My BIOS password is just another small obstacle in the path of a bad actor.
--
Brian Gregory (in England).
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

Brian Gregory <void-invalid-dead-dontuse@email.invalid> wrote:

On 22/01/2026 15:59, Maria Sophia wrote:

[...]

My model is simple and well thought out to be optimized for convenience.
1. Encrypt the small amount of data that matters.
2. Keep it in Veracrypt containers or a password manager.
3. Do not rely on BIOS passwords or biometrics for data at rest.
4. Optimize for convenience during daily use.

My BIOS password is just another small obstacle in the path of a bad actor.

A *BIOS* password indeed a - IMO not so - 'small' obstacle, but, as I mentioned, it's the *boot* password which adds essential protection.

So the BIOS password prevents booting from for example a Linux USB
stick (and accessing the disk that way) and the boot password prevents
booting Windows. After that, sign-in protection prevents signing in and encryption (full or partial) prevents access to essential private data
(in case the 'drive' is removed from the system).
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On Fri, 23 Jan 2026 20:17:11 +1100, Daniel70 wrote:

[snip]

Having been in the Army, where you could get into trouble for not being
where you are supposed to be WHEN you are supposed to be there .... so I usually have my Car clock set three to five minutes fast .... you know.
just in case!! (even having been out of the Army over thirty years)

I used to know someone who did that. I'd rather set my watch RIGHT and do
my own thinking, and leave on time.

BTW, I get tired of hearing "fast" and "slow" used improperly, when the problem has nothing to do with speed.
--
Mark Lloyd
http://notstupid.us/

"Think not that I am come to send peace on earth; I came not to send
peace, but a sword." -- Jesus, Matthew 10:34
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On Fri, 23 Jan 2026 16:09:08 +0000, J. P. Gilliver wrote:

[snip]

I have a (corded, as it happens) 'phone at my elbow, so answer almost immediately (startles some callers!); however, especially around 10:30am which seems to be peak phishtime, I don't actually _say_ anything for a
few seconds; the same applies - the autodialler (or whatever) gives up.
(A real caller will usually say something in that time.)

I often hang up after saying "hello" twice with no response, unless it's someone I know who often does that.

I got a call this morning that I didn't answer because of multiple signs
of it being a machine.

1. The NAME* appearing on caller ID was identical to the number.

2. The caller did leave a message, but it was "beginning truncated" (the
first few seconds of the message were missing, like the machine was too
stupid to WAIT FOR THE BEEP). What I heard first was "(half a word) in
your area".

3. The call ended with a few seconds of busy signal, which I hear
indicates the call was not disconnected properly (it doesn't happen on legitimate calls).

* - a feature that I really wish that mobile phones would have. It can be
used to detect and ignore most junk calls.
--
Mark Lloyd
http://notstupid.us/

"Think not that I am come to send peace on earth; I came not to send
peace, but a sword." -- Jesus, Matthew 10:34
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On Fri, 1/23/2026 2:06 PM, Mark Lloyd wrote:

On Fri, 23 Jan 2026 20:17:11 +1100, Daniel70 wrote:

[snip]

Having been in the Army, where you could get into trouble for not being
where you are supposed to be WHEN you are supposed to be there .... so I
usually have my Car clock set three to five minutes fast .... you know.
just in case!! (even having been out of the Army over thirty years)

I used to know someone who did that. I'd rather set my watch RIGHT and do
my own thinking, and leave on time.

BTW, I get tired of hearing "fast" and "slow" used improperly, when the problem has nothing to do with speed.

There is the frequency adjustment of the reference oscillator,
to avoid first order drift. On typical time pieces, this
runs at 32768.0000 Hz (above human hearing). A watchmaker may
have a suitable instrument while working to correct the value.
A trimmer capacitor is inside the watch, to make tweaks.
The RTC in a personal computer is missing this adjustment.

And there is the purposeful register offset, to arrive
at destinations ahead of an appointment. The register
could be adjusted ahead, behind, or nominal.

"I set my watch ahead, so I will always be on time for appointments"

[well, not absolutely always, depends on paragraph 1]

Good time pieces are temperature compensated, as the ambient
temperature changes, the tempco of some of the elements are
made to cancel, and it gives the impression the device
is temperature invariant (which it is not). Scientific American
used to have articles about this, in the Amateur Scientist section.
Some cars have had excellent temperature compensated time clock pieces.

There is one computer design, which cannot tell time under any circumstances. The NVidia NForce2, if operated with a non-canonical BCLK, would go nuts
and the time could not be nulled, even with NTP cranked way up to adjust
it. The MCP chip was fine at 66MHz, 100MHz, 133MHz sort of thing, but if you selected 75MHz or 129MHz, that caused the time to jump all over the place
from reading to reading. I don't think NVidia ever admitted to that,
but for the people playing with that, they got the entertainment value
for sure.

Paul
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 2026/1/23 19:6:20, Mark Lloyd wrote:

On Fri, 23 Jan 2026 20:17:11 +1100, Daniel70 wrote:

[snip]

Having been in the Army, where you could get into trouble for not being
where you are supposed to be WHEN you are supposed to be there .... so I
usually have my Car clock set three to five minutes fast .... you know.
just in case!! (even having been out of the Army over thirty years)

I used to know someone who did that. I'd rather set my watch RIGHT and do
my own thinking, and leave on time.

BTW, I get tired of hearing "fast" and "slow" used improperly, when the problem has nothing to do with speed.

Those two words do also have another meaning, relating specifically to timepieces and having nothing to do with speed, only offset; consult any
good dictionary.
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()ALIS-Ch++(p)Ar++T+H+Sh0!:`)DNAf

The fact that there is a highway to hell and only a stairway to heaven
says a lot about anticipated traffic numbers.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 2026/1/23 19:19:40, Mark Lloyd wrote:

On Fri, 23 Jan 2026 16:09:08 +0000, J. P. Gilliver wrote:

[snip]

I have a (corded, as it happens) 'phone at my elbow, so answer almost
immediately (startles some callers!); however, especially around 10:30am
which seems to be peak phishtime, I don't actually _say_ anything for a
few seconds; the same applies - the autodialler (or whatever) gives up.
(A real caller will usually say something in that time.)

I often hang up after saying "hello" twice with no response, unless it's someone I know who often does that.

I got a call this morning that I didn't answer because of multiple signs
of it being a machine.

1. The NAME* appearing on caller ID was identical to the number.

2. The caller did leave a message, but it was "beginning truncated" (the first few seconds of the message were missing, like the machine was too stupid to WAIT FOR THE BEEP). What I heard first was "(half a word) in
your area".

3. The call ended with a few seconds of busy signal, which I hear
indicates the call was not disconnected properly (it doesn't happen on legitimate calls).

* - a feature that I really wish that mobile phones would have. It can be used to detect and ignore most junk calls.

I've never seen a landline 'phone that displays a NAME - other than ones
where YOU can program in (to the handset or the basestation) names that
YOU associate with certain numbers.
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()ALIS-Ch++(p)Ar++T+H+Sh0!:`)DNAf

The fact that there is a highway to hell and only a stairway to heaven
says a lot about anticipated traffic numbers.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 24/01/2026 3:04 am, J. P. Gilliver wrote:

On 2026/1/23 11:19:59, Daniel70 wrote:

On 23/01/2026 8:17 pm, Daniel70 wrote:

On 23/01/2026 7:24 am, J. P. Gilliver wrote:

<Snip>

Plus, if I _had_ a smartphone, I'd presumably mostly be doing
something with it (if not, why have one?),

For EMERGENCIES!! RE-read my last para!! ;-)

Yes, I have a mobile 'phone, for exactly that - in case of car
breakdown. But it truly _is_ for emergencies: I have a PAYG contract, or
more or less as near as I could get - the words "per month" are _not_ involved.

With my account I can "Top Up" either $25 or $35 at a time .... and that
money is GOOD for Twelve Months or so!!

Actually what I've got is better suited for that use: rather
than several tens of pence per minute, it costs me 2 pounds _if_ I use
it, but I then get unlimited calls for the rest of that day, which would probably be useful for a remote breakdown. [Hasn't happened since I
preloaded it.])

I think mine is 10 cents per SMS and 50 cents per Voice minute.

But now _you_ re-read what I said: SMARTphone. The one I have - I think
it's Nokia; was the only one I could find without a camera, which was a requirement at the time I bought it.

O.K. Strange but, if that's what you want, O.K.

I charge it once a week, though the
little symbol implies it's only a third discharged (I do leave it on).
[Don't most smartphones last 2-3 days at most?] If I _had_ a smartphone,
then presumably most of the time I would be doing something with it,
else why have one?

Mine lasts 4 - 5 days .... but then I turn it OFF whilst I'm in Bed!!

so would have to change/minimise to see the clock (or peer at tiny
digits along the edge of the display).

Having been in the Army, where you could get into trouble for not
being where you are supposed to be WHEN you are supposed to be there

(I have suffered slightly career-wise from _not_ being punctual - and
mine _wasn't_ in the services!)

.... so I usually have my Car clock set three to five minutes fast
.... you know. just in case!! (even having been out of the Army over
thirty years)

Doesn't setting it fast cease to work after a short time, though,
because you _know_ it's set fast?

If you've got time to think about it, Yes, probably .... but IF you are
in a RUSH, would you bother (REALLY) thinking about it .. or just GET
THERE? ;-P
--
Daniel70
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 24/01/2026 3:09 am, J. P. Gilliver wrote:

On 2026/1/23 9:26:42, Daniel70 wrote:

[]

I moved into this house about Ten years ago and, for some reason or
other, the Phone Landline socket is positioned on the far wall of the
main bedroom.

I don't know about you but I don't spend much time in my Bedroom ....
except when I'm sleeping .... so, after rushing from the Loungeroom to
the Bedroom when the phone rang .... only to find it was a Spammer
calling, I brought myself a Cordless phone with Answer machine built
into the Base station .... so, if the phone rings, I let the Answer
machine do its job .... and, usually, by the time the Answer machines
Welcome message has finished, the caller has hung up.

Job Done!! ;-P

I have a (corded, as it happens) 'phone at my elbow, so answer almost immediately (startles some callers!); however, especially around 10:30am which seems to be peak phishtime, I don't actually _say_ anything for a
few seconds; the same applies - the autodialler (or whatever) gives up.

Yeap, done that, too, when I first got the Cordless phone!!

(A real caller will usually say something in that time.)

Yeap.
--
Daniel70
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 24/01/2026 6:19 am, Mark Lloyd wrote:

On Fri, 23 Jan 2026 16:09:08 +0000, J. P. Gilliver wrote:

[snip]

I have a (corded, as it happens) 'phone at my elbow, so answer almost
immediately (startles some callers!); however, especially around 10:30am
which seems to be peak phishtime, I don't actually _say_ anything for a
few seconds; the same applies - the autodialler (or whatever) gives up.
(A real caller will usually say something in that time.)

I often hang up after saying "hello" twice with no response, unless it's someone I know who often does that.

I got a call this morning that I didn't answer because of multiple signs
of it being a machine.

1. The NAME* appearing on caller ID was identical to the number.

2. The caller did leave a message, but it was "beginning truncated" (the first few seconds of the message were missing, like the machine was too stupid to WAIT FOR THE BEEP). What I heard first was "(half a word) in
your area".

3. The call ended with a few seconds of busy signal, which I hear
indicates the call was not disconnected properly (it doesn't happen on legitimate calls).

* - a feature that I really wish that mobile phones would have. It can be used to detect and ignore most junk calls.

With my Mobile, I've gotten to the point of "If the Caller isn't in my 'Phonebook', I just let it Ring and Ring until THEY give up."

I figure if it were a REAL person trying to contact me, and I didn't
answer their call, the REAL person would probably TEXT me.

It just occurred to me .... If THEIR Phone wasn't TEXT capable, that
could be a problem!! ;-P
--
Daniel70
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

Brian Gregory <void-invalid-dead-dontuse@email.invalid> wrote:

On 22/01/2026 15:59, Maria Sophia wrote:

On biometrics, a key point is that they do not protect data at rest.
A fingerprint or face scan unlocks the Windows session, but once the
drive is removed from the laptop the biometric layer is irrelevant. The
data on the drive is readable unless it is encrypted. Biometrics solve a
convenience problem for sign in, not a data protection problem for a
stolen device. That is why I treat them more as a marketing gimmick rather >> than a security control for data at rest.

Obviously biometrics are not something you add to add protection.
They simply avoid you having to type a password or PIN.

Disagree. You can't guess a biometric like you can a PIN. You can't
shoulder surf someone's biometric like a PIN code.

Biometrics are more secure. If implemented properly, obviously. Some early mobile phone implementations were terrible.

--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On Fri, 23 Jan 2026 19:08:30 -0500, Paul wrote:

[snip]

There is the frequency adjustment of the reference oscillator,
to avoid first order drift. On typical time pieces, this runs at
32768.0000 Hz (above human hearing).

I remember about those crystals. You really need 1Hz but a 1Hz crystal
would be much too big. 32768 is exactly 2^15, so it's easy for an
electronic circuit to get 1Hz from that.

A watchmaker may have a suitable
instrument while working to correct the value.
A trimmer capacitor is inside the watch, to make tweaks.
The RTC in a personal computer is missing this adjustment.

And there is the purposeful register offset, to arrive at destinations
ahead of an appointment. The register could be adjusted ahead, behind,
or nominal.

"I set my watch ahead, so I will always be on time for
appointments"

[well, not absolutely always, depends on paragraph 1]

I always set it to the right time, and leave early for appointments.
Setting it wrong could be confusing.

Good time pieces are temperature compensated, as the ambient temperature changes, the tempco of some of the elements are made to cancel, and it
gives the impression the device is temperature invariant (which it is
not). Scientific American used to have articles about this, in the
Amateur Scientist section.
Some cars have had excellent temperature compensated time clock pieces.

My mother's Volvo had a clock like that. It kept really good time, but was hard to set. She never changed it for DST, just remembered the offset.

BTW, I've been calling DST "Damn Stupid Time". The nonsense idea that
changing clocks could actually give you more time (or more daylight).

Another clock I've seen was on a TV news show seen all over the country.
The clock had only a minute hand, since the hour would be different in different places.

[snip]
--
Mark Lloyd
http://notstupid.us/

"Sit down before fact as a little child, be prepared to give up every preconceived notion, follow humbly wherever and to whatever abyss nature
leads, or you shall learn nothing." Thomas Henry Huxley
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On Sat, 24 Jan 2026 00:16:33 +0000, J. P. Gilliver wrote:

On 2026/1/23 19:19:40, Mark Lloyd wrote:

On Fri, 23 Jan 2026 16:09:08 +0000, J. P. Gilliver wrote:

[snip]

I have a (corded, as it happens) 'phone at my elbow, so answer almost
immediately (startles some callers!); however, especially around
10:30am which seems to be peak phishtime, I don't actually _say_
anything for a few seconds; the same applies - the autodialler (or
whatever) gives up. (A real caller will usually say something in that
time.)

I often hang up after saying "hello" twice with no response, unless
it's someone I know who often does that.

I got a call this morning that I didn't answer because of multiple
signs of it being a machine.

1. The NAME* appearing on caller ID was identical to the number.

2. The caller did leave a message, but it was "beginning truncated"
(the first few seconds of the message were missing, like the machine
was too stupid to WAIT FOR THE BEEP). What I heard first was "(half a
word) in your area".

3. The call ended with a few seconds of busy signal, which I hear
indicates the call was not disconnected properly (it doesn't happen on
legitimate calls).

* - a feature that I really wish that mobile phones would have. It can
be used to detect and ignore most junk calls.

I've never seen a landline 'phone that displays a NAME - other than ones where YOU can program in (to the handset or the basestation) names that
YOU associate with certain numbers.

AFAIK, all landline systems have it now (although I don't know about
wireless home phone service from a cell company). Older phones will
require a separate display device. For a long time I've used cordless
phones with the CID display (both name and number) built-in.

BTW, most of the ones (separate CID displays) I had used a reflective LCD display with no backlight. These were hard to read unless you get the
angle just right.

For junk calls, many show 1 of these 2 patterns in the name display:

1. CITY ST (like TELEPHONE TX). I hear that that's what happens when the number is not registered, and it's trying to tell you where the call is
coming from. This is most likely useless when you're dealing with spoofed numbers, but the pattern usually does identify a robocall.

2. The NAME field has just a number in it, often the same as the number
field.

BTW, there really is a TELEPHONE TX. It's a little town which probably has nothing to do with the spammer.

OT: We had a little snow last night.
--
Mark Lloyd
http://notstupid.us/

"Sit down before fact as a little child, be prepared to give up every preconceived notion, follow humbly wherever and to whatever abyss nature
leads, or you shall learn nothing." Thomas Henry Huxley
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 2026/1/24 17:33:13, Mark Lloyd wrote:

On Sat, 24 Jan 2026 00:16:33 +0000, J. P. Gilliver wrote:

[]

I've never seen a landline 'phone that displays a NAME - other than ones
where YOU can program in (to the handset or the basestation) names that
YOU associate with certain numbers.

AFAIK, all landline systems have it now (although I don't know about wireless home phone service from a cell company). Older phones will
require a separate display device. For a long time I've used cordless
phones with the CID display (both name and number) built-in.

I don't think the POTS in the UK supplies name information (or anything textual) - only calling number. (I don't _think_ even the mobile
[cellular] networks do.)

You can get handsets (for POTS - I think it's more or less universal for
mobile ones) which do display name, but you have to program in yourself
the names that go with numbers that call you - the system doesn't
provide that information.

BTW, most of the ones (separate CID displays) I had used a reflective LCD display with no backlight. These were hard to read unless you get the
angle just right.

For junk calls, many show 1 of these 2 patterns in the name display:

1. CITY ST (like TELEPHONE TX). I hear that that's what happens when the number is not registered, and it's trying to tell you where the call is coming from. This is most likely useless when you're dealing with spoofed numbers, but the pattern usually does identify a robocall.

2. The NAME field has just a number in it, often the same as the number field.

BTW, there really is a TELEPHONE TX. It's a little town which probably has nothing to do with the spammer.

OT: We had a little snow last night.

Just a lot of rain here (Kent, SE England).
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()ALIS-Ch++(p)Ar++T+H+Sh0!:`)DNAf

"quidquid latine dictum sit, altum viditur".
("Anything is more impressive if you say it in Latin")

--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

...w¡ñ§±¤ñ wrote:

Frank Slootweg wrote on 1/23/2026 8:18 AM:

Maria Sophia <mariasophia@comprehension.com> wrote:

AFAIK, Windows Device Encryption on Home automatically backs up the
recovery key to the user's Microsoft account unless the user actively stops >>> it. That default behavior is what ties recovery to Microsoft
infrastructure.

Windows Device Encryption also works with a local account. I only have
a local account and don't have a Microsoft Account. I believe the key is
stored in the machine's BIOS or similar, hence my comment on saving the
key somewhere locally in case the machine has a fatal hardware failure.

Windows Home Device Encryption when enabled
- first looks to store the key in the MSFT account that was initially
used to setup(first use) the device even if that MSFT account was
switched to a local logon. If not setup with a MSFT account or MSFT
account no longer present on device, the only options for the user to
obtain the key are - Save to USB, copy to paper, copy and save to text file.
- the key itself for validation purposes is stored on the device, but
not in readable or accessible form.

Thanks for the clarification. I was researching this in a response for Paul just now in the bitlocker thread (where MS handed the keys to LE), where we need to pin down the distinction between Device Encryption on Home and full BitLocker on Pro with respect to where we "can" store the encryption keys.

AFAIK...
i. Windows Home does not include full BitLocker. It includes Device
Encryption, which is a limited version with almost no user control.

ii. When Device Encryption is enabled on a machine that was ever set up
with a Microsoft account, it is my understanding that the recovery
key is uploaded to that account by default. That upload is part of
the design, therefore it is not an option the user can decline
if that Windows Home machine was set up with a Microsoft Account.

iii. If the machine was never set up with a Microsoft account, the user
can save the recovery key locally, but Home still does not allow a
password or PIN protector. The only protector is the hardware TPM.

iv. Windows Pro is different. Full BitLocker allows password protectors,
PIN protectors, USB key protectors, and offline storage of the
recovery key. No Microsoft account is required.

v. The recent reports about Microsoft providing recovery keys to law
enforcement involved keys stored in Microsoft accounts. That perhaps
most applies to default Device Encryption on Home, and maybe not
so much to BitLocker on Pro when configured with local-only protectors.

In summary, I think that Windows Home users do not have the same kind of control over key storage that Windows Pro users have. That is why the
default workflow on Home ends up with the recovery key in a Microsoft
account in most cases.

HERE IS MY PRIOR RESPONSE IN THE BITLOCKER THREAD:
A. Windows Home
i. Windows Home does not include full BitLocker.
ii. It includes Device Encryption, which is a cut down version.
iii. Device Encryption requires a Microsoft account to store the
recovery key, so users who avoid MSA's cannot use it.
iv. Device Encryption cannot be managed with full BitLocker commands.
v. It has no Group Policy controls, no advanced protectors, and no
ability to encrypt only certain volumes.

B. Windows Pro
i. Windows Pro includes full BitLocker.
ii. BitLocker can encrypt OS drives, fixed data drives, and removable
drives.
iii. BitLocker can be used without a Microsoft account.
iv. BitLocker supports TPM, PIN, password, and recovery key options.
v. BitLocker has full command line control with manage-bde.

C. Summary
i. Windows Home = Device Encryption only, limited, account required.
ii. Windows Pro = Full BitLocker, full control, no account required.
iii. Device Encryption is sometimes called "BitLocker lite" because
it uses the same underlying driver but lacks the management
features.

Note this means that if we're worried about the topic of this thread, and
if we still wish to use bit locker, then we prolly' shouldn't be on Windows Home but on Windows Pro (or, as Paul & Bill suggested, use other tools).
--
On Usenet, we trade decades of lessons so nobody has to learn them twice.

--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

Frank Slootweg wrote:

Windows Device Encryption also works with a local account. I only have
a local account and don't have a Microsoft Account. I believe the key is stored in the machine's BIOS or similar, hence my comment on saving the
key somewhere locally in case the machine has a fatal hardware failure.

Hi Frank,

Much appreciated your deeper explanation of FDE as I use containers instead (which I use for convenience so I only enter a passphrase when needed).

My use model employs partial encryption (e.g., VeraCrypt containers), so Frank's more-standard use model of full encryption on Windows Home is new
to me. What I've researched about Windows FDE may be wrong, but here is my
best understanding of the pros and cons of the two models, in practice.

i. Device Encryption on Windows Home does not support password or PIN
protectors. The only protector is the TPM.

ii. Because the TPM is the protector, the machine unlocks the encrypted
drive automatically. We do not enter the 48 digit recovery key at
startup. That key is only for recovery mode.

iii. Windows may still ask for our normal account password after the
drive is unlocked. That password is for signing in to Windows, not
for unlocking the disk. Device Encryption on Home cannot require a
boot password or PIN. Only Windows Pro can do that.

iv. If the TPM state changes or the disk is moved, Windows will stop at
a recovery screen and ask for the 48 digit key. That is when we plug
in our USB stick or type the 48 digits from our paper copy.

v. If the machine boots normally, we never see the key prompt. The TPM
unlocks the drive silently. The recovery key itself is not stored in
BIOS in readable form. The TPM holds the cryptographic material that
unlocks the disk.

vi. This is why Windows Home cannot be used for high security. We cannot
force a password at boot, disable TPM auto unlock, or require user
presence. Only Windows Pro can do that.

If we want true password-protected FDE, we need:
a. Windows 10 Pro or Windows 11 Pro
b. Or a third-party FDE tool
c. Or Linux with LUKS, which always supports passphrases

I thank Frank for his suggestions as I created my low-friction protection
model years ago (maybe even decades ago) when Truecrypt was still a thing.
--
On Usenet, we old men trade facts so everyone can make better choices.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

Mark Lloyd wrote on 1/24/2026 10:33 AM:

On Sat, 24 Jan 2026 00:16:33 +0000, J. P. Gilliver wrote:

I've never seen a landline 'phone that displays a NAME - other than ones
where YOU can program in (to the handset or the basestation) names that
YOU associate with certain numbers.

AFAIK, all landline systems have it now (although I don't know about
wireless home phone service from a cell company). Older phones will
require a separate display device. For a long time I've used cordless
phones with the CID display (both name and number) built-in.

BTW, most of the ones (separate CID displays) I had used a reflective LCD display with no backlight. These were hard to read unless you get the
angle just right.

It depends upon the type or land line phone - some older models(handset
anb base) do not have a display, while others(a some older and newer)
have a display.
The caller content information displayed on the latter may also have variation. Additionally, without caller ID(sometimes an add-on, extra $)
the information may be limited to the user entry of number and name(I've
one of those in my garage - land-line connection without caller id, but displays name/# that I entered manually in the phone's available
programmable option - it retains the info even if removed from its wall(land-line) phone jack.

Another land-line in the house is connected with a AC powered base(holds
and recharge cordless handsets) - one master base, plus two remote AC
bases and handsets. The remotes sync with the master(messages and
programmed named/phone#, etc.), the master auto-answers and stores
messages from the caller. All handsets, as noted can access the master
stored caller left messages
- I rarely answer any landline, just let it ring(3x) before it answers
and starts the leave a message mode(which I leave blank) - some callers
may leave a message, other's never with some obviously trying to figure
out what to do before hanging up.
--
...w¡ñ§±¤ñ
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

Maria Sophia wrote on 1/24/2026 1:45 PM:

Windows Home Device Encryption when enabled
  - first looks to store the key in the MSFT account that was initially
used to setup(first use) the device even if that MSFT account was
switched to a local logon. If not setup with a MSFT account or MSFT
account no longer present on device, the only options for the user to
obtain the key are - Save to USB, copy to paper, copy and save to text
file.
  - the key itself for validation purposes is stored on the device, but
not in readable or accessible form.

Thanks for the clarification. I was researching this in a response for Paul just now in the bitlocker thread (where MS handed the keys to LE), where we need to pin down the distinction between Device Encryption on Home and full BitLocker on Pro with respect to where we "can" store the encryption keys.

AFAIK...
i. Windows Home does not include full BitLocker. It includes Device
  Encryption, which is a limited version with almost no user control.

Previously covered in this thread like the other Roman numeral points.

v. The recent reports about Microsoft providing recovery keys to law
  enforcement involved keys stored in Microsoft accounts. That perhaps
  most applies to default Device Encryption on Home, and maybe not   so much to BitLocker on Pro when configured with local-only protectors.

It applies to requests with a valid legal requests for Bitlocker keys(for devices that support Bitlocker) stored in their Microsoft accounts(which
is the only location MSFT has access to Recovery keys, i.e. they can't
and don't mine Windows devices for Recovery key content in any form).

In summary, I think that Windows Home users do not have the same kind of control over key storage that Windows Pro users have.

At least, you're getting closer to the entire picture(Bitlocker
Encryption is fully supported on Enterprise and Edu editions, too)

That is why the default workflow on Home ends up with the
recovery key in a Microsoft account in most cases.

It does not(for Windows Home)
--
...w¡ñ§±¤ñ
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

Chris wrote:

Brian Gregory <void-invalid-dead-dontuse@email.invalid> wrote:

On 22/01/2026 15:59, Maria Sophia wrote:

On biometrics, a key point is that they do not protect data at rest.
A fingerprint or face scan unlocks the Windows session, but once the
drive is removed from the laptop the biometric layer is irrelevant. The
data on the drive is readable unless it is encrypted. Biometrics solve a >>> convenience problem for sign in, not a data protection problem for a
stolen device. That is why I treat them more as a marketing gimmick rather >>> than a security control for data at rest.

Obviously biometrics are not something you add to add protection.
They simply avoid you having to type a password or PIN.

Disagree. You can't guess a biometric like you can a PIN. You can't
shoulder surf someone's biometric like a PIN code.

Biometrics are more secure. If implemented properly, obviously. Some early mobile phone implementations were terrible.

Hi Chris,

While OEMs strive to differentiate hype on biometrics, it's my assessment
that the biometrics available to consumers are merely marketing gimmicks.

Even so, on the specific topic of what I've termed "biometric marketing gimmicks", we are mixing several security layers in this thread discussion.

1. BIOS or UEFI passwords
A. Supervisor or admin password
Controls access to firmware settings. Prevents changes to boot
order, secure boot, virtualization, and other low level options.
B. User or power on password
Stops the machine from booting until the password is entered.
Does not protect the drive if it is removed from the system.
C. Purpose
Protects the boot path and firmware settings. Does not protect
data at rest unless combined with disk encryption.

2. Boot level authentication
A. BitLocker PIN (Windows Pro)
A pre boot PIN that must be entered before the OS loads. This
protects the encryption key. Stronger than relying on TPM alone.
B. BitLocker device encryption (Windows Home)
No pre boot PIN. TPM auto unlocks the drive. Convenient but
weaker against physical theft.
C. VeraCrypt pre boot authentication (see separate thread on this)
Requires a password before the OS loads. Can also use keyfiles.
Protects the encryption key before any OS code runs.

3. Operating system sign in
A. Password
Traditional sign in. Can be long and strong. Does not protect
data at rest unless tied to disk encryption.
B. PIN
Local to the device. Shorter but protected by TPM. Used to
release the encryption key. Still guessable if observed.
C. Biometrics
Fingerprint or face scan. Convenience feature that unlocks the
session after the encryption key has already been released.
Cannot protect data at rest. Cannot replace the encryption key.

4. Application level secrets
A. VeraCrypt keyfiles
Extra factor stored on removable media. Must be present to
unlock a volume. Strong if kept separate from the device.
B. KeePassXC master password
Protects the password database. Strength depends entirely on
the master password. Biometrics do not protect the database.
C. KeePassXC keyfile
Optional second factor. Must be provided along with the master
password. Strong if stored offline.

5. Summary of roles
A. BIOS or UEFI passwords
Protect firmware settings and boot control.
B. Boot level authentication
Protects the encryption key before the OS loads.
C. OS sign in
Protects the active session, not the data at rest.
D. Application level secrets
Protect individual encrypted containers or password vaults.

Back to biometric marketing gimmicks, what they actually can do is...
A. Reduce friction so users actually lock their devices.
B. Prevent casual misuse or shoulder surfing during sign in.
C. Do not protect data at rest. Do not protect encryption keys.
D. Are convenience features layered on top of real controls.
--
My conclusions follow the simplest model that fits every known fact.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

Frank Slootweg wrote:

Brian Gregory <void-invalid-dead-dontuse@email.invalid> wrote:

On 22/01/2026 15:59, Maria Sophia wrote:

[...]

My model is simple and well thought out to be optimized for convenience. >>> 1. Encrypt the small amount of data that matters.
2. Keep it in Veracrypt containers or a password manager.
3. Do not rely on BIOS passwords or biometrics for data at rest.
4. Optimize for convenience during daily use.

My BIOS password is just another small obstacle in the path of a bad actor.

A *BIOS* password indeed a - IMO not so - 'small' obstacle, but, as I mentioned, it's the *boot* password which adds essential protection.

So the BIOS password prevents booting from for example a Linux USB
stick (and accessing the disk that way) and the boot password prevents booting Windows. After that, sign-in protection prevents signing in and encryption (full or partial) prevents access to essential private data
(in case the 'drive' is removed from the system).

As Frank implied, A BIOS or UEFI password controls the firmware settings
and the boot path. A boot password controls whether the OS can load.

Both are useful obstacles, but I would like to make sure all who are
reading this are aware that neither protects data at rest once the drive is removed (which would happen in an aforementioned "burglary situation").

The only layer that protects data at rest is encryption of that data.

a. That can be BitLocker with a pre boot PIN, or VeraCrypt with pre boot
authentication, or any system where the encryption key is not released
until a password is entered.

b. Once the drive is out of the machine the BIOS password, the boot
password, and the OS sign in password are no longer in the path. The
attacker is facing the encryption key, not the firmware or the OS.

c. That is one reason why my own model focuses on encrypting the small
amount of data that matters and keeping it in VeraCrypt containers
or a password manager (such as KeepassXC is).

For me, it is simple and it avoids relying on layers that do not
protect data at rest.

However, none of this says BIOS or boot passwords are useless.
They are useful obstacles.

They just solve a different problem than the one I am describing, which is solved by container storage of private data & of user password information.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

...w¡ñ§±¤ñ wrote:

In summary, I think that Windows Home users do not have the same kind of
control over key storage that Windows Pro users have.

At least, you're getting closer to the entire picture(Bitlocker
Encryption is fully supported on Enterprise and Edu editions, too)

Thanks for the clarification, where I just opened a separate thread on why,
in my case of an older machine, and for consistency & greater protection
even on current Windows 11 Home versus Pro machines, Veracrypt has some decisive FDE advantages over anything Microsoft marketing has provided us.

Subject: PSA: Veracrypt has pre boot authentication (& why it's better for older PCs)
Newsgroups: alt.comp.os.windows-10,alt.comp.os.windows-11,alt.comp.microsoft.windows
Date: Sat, 24 Jan 2026 21:51:50 -0500
Message-ID: <10l40g6$12r7$1@nnrp.usenet.blueworldhosting.com>

BitLocker Enterprise and Education editions work like BitLocker Pro because they support pre boot PINs and full management of recovery keys. They still depend on TPM features, so protection varies with the hardware. VeraCrypt
does not change across editions. It works the same on Home, Pro, Enterprise
and Education because it does not rely on Windows features and always uses
a password at boot.

Hence, there are security advantages of Veracrypt FDE for older PCs & for consistency in mixed Windows environments even on the newer machines.

Older machines:
VeraCrypt is often a better fit for older desktops because it does
not need a TPM and always uses a password at boot, while BitLocker
Home and Pro rely on TPM features that many older machines do not have.

Mixed Home & Pro environments:
VeraCrypt full disk encryption is more consistent across mixed Windows
highly-marketed systems because it works the same on all hardware and
does not depend on TPM features. The more highly marketed BitLocker
arbitrarily behaves differently on Home and Pro, so protection varies
by edition, while VeraCrypt gives the same pre-boot password-based
security everywhere despite Microsoft's desperate marketing hype.
--
My reasoning favors simple models that account for all data points.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

Maria Sophia wrote on 1/24/2026 8:17 PM:

...w�񧱤�  wrote:

In summary, I think that Windows Home users do not have the same kind of >>> control over key storage that Windows Pro users have.

At least, you're getting closer to the entire picture(Bitlocker
Encryption is fully supported on Enterprise and Edu editions, too)

Thanks for the clarification, where I just opened a separate thread on why, in my case of an older machine, and for consistency & greater protection
even on current Windows 11 Home versus Pro machines, Veracrypt has some decisive FDE advantages over anything Microsoft marketing has provided us.

Subject: PSA: Veracrypt has pre boot authentication (& why it's better

You'll have to get the choir to discuss that..it's not a popular tool in
the Enterprise/Edu/Gov community where encryption has wider use and preference. Some might even consider it(Veracrypt) old, unreliable and
late to the party on updating, no official tech support, and UI
design-wise inadequate/cumbersome/dysfunctional.


...w¡ñ§±¤ñ
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On Sun, 1/25/2026 1:35 AM, ...w¡ñ§±¤ñ wrote:

Maria Sophia wrote on 1/24/2026 8:17 PM:

...w�񧱤�  wrote:

In summary, I think that Windows Home users do not have the same kind of >>>> control over key storage that Windows Pro users have.

At least, you're getting closer to the entire picture(Bitlocker Encryption is fully supported on Enterprise and Edu editions, too)

Thanks for the clarification, where I just opened a separate thread on why, >> in my case of an older machine, and for consistency & greater protection
even on current Windows 11 Home versus Pro machines, Veracrypt has some
decisive FDE advantages over anything Microsoft marketing has provided us. >>
Subject: PSA: Veracrypt has pre boot authentication (& why it's better

You'll have to get the choir to discuss that..it's not a popular tool in the Enterprise/Edu/Gov community where encryption has wider use and preference.  Some might even consider it(Veracrypt) old, unreliable and late to the party on updating, no official tech support, and UI design-wise inadequate/cumbersome/dysfunctional.

...w¡ñ§±¤ñ

I think we'd want a cryptographer of some note, to
do the analysis.

Maybe the people who did the audit, are the only ones
who would want to take a public stance.

Also, one of the problems with tracking Veracrypt, is
people make claims about it, and someone who uses it
will point out that a particular issue has been fixed.

The GUI is "inherited" from Truecrypt, rather than
being designed from scratch that way.

It takes 15 seconds for the unlocking password to take,
but that's because the PIM was turned up. Turning it down,
is at your own discretion (like if you didn't fear some
government activity). The high PIM value is to prevent
brute forcing with a set of Amazon instances.

Paul
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

Paul wrote:

Subject: PSA: Veracrypt has pre boot authentication (& why it's better

You'll have to get the choir to discuss that..it's not a popular tool
in the Enterprise/Edu/Gov community where encryption has wider use and
preference.  Some might even consider it(Veracrypt) old, unreliable and
late to the party on updating, no official tech support, and UI
design-wise inadequate/cumbersome/dysfunctional.

I think we'd want a cryptographer of some note, to
do the analysis.

On my non-Win-11-eligible older desktop, TPM isn't an option, so BitLocker
can work on my non-TPM desktop but BitLocker has nowhere secure to store
the key for auto-unlock. So Bitlocker will only work with a manual configuration and with weaker protection than on a TPM-equipped machine.

VeraCrypt, by contrast, works normally with full strength on any hardware
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

..w¡ñ§±¤ñ <winstonmvp@gmail.com> wrote:

Maria Sophia wrote on 1/24/2026 8:17 PM:

...w�񧱤�  wrote:

In summary, I think that Windows Home users do not have the same kind of >>>> control over key storage that Windows Pro users have.

At least, you're getting closer to the entire picture(Bitlocker
Encryption is fully supported on Enterprise and Edu editions, too)

Thanks for the clarification, where I just opened a separate thread on why, >> in my case of an older machine, and for consistency & greater protection
even on current Windows 11 Home versus Pro machines, Veracrypt has some
decisive FDE advantages over anything Microsoft marketing has provided us. >>
Subject: PSA: Veracrypt has pre boot authentication (& why it's better

You'll have to get the choir to discuss that..it's not a popular tool in
the Enterprise/Edu/Gov community where encryption has wider use and preference. Some might even consider it(Veracrypt) old, unreliable and
late to the party on updating, no official tech support, and UI
design-wise inadequate/cumbersome/dysfunctional.

In a professional environment veracrypt is an anachronism. IT depts want to
be able to manage the many hundreds and thousands of machines they maintain through policy and central administrative systems.

Thus, with bitlocker they can remote wipe machines and if a staff member
has somehow locked themselves out of their machine the encryption key can
be restored.

They do not want to have to manage each machine manually. Nor do they want users to install their own shadow systems either.

In the workplace staff have no right to privacy so this is all moot anyway.





--- Synchronet 3.21a-Linux NewsLink 1.2