The author did an excellent job explaining what an evil maid attack is, but a very poor job of explaining how their proposal mitigates such attack.
I think the classic "Detecting unauthorized physical access with beans, lentils and colored rice" [0] approach is simpler to understand and simpler to implement. It doesn't rely on any hardware, such as a Raspberry Pi or otherwise technology which can be more easily subject to scrutiny via Ken Thompson's "Reflections on Trusting Trust".
That's cool. I hadn't heard of that, before. I had a related idea for achieving plausible deniability of the key in full disk encryption or similar scenarios. The password would be derived from the position of sensitive, yet innocuous, elements on the device, ensuring that the seizure of the device would likely corrupt this relationship. For instance, a series of N-sided dice could be placed in specific positions on top of the device (in the case of a desktop computer, perhaps), and the password derived from their sequence. Consideration must also be given to the possibility of the device being photographed—likely from a single angle—before being moved. So, the dice would be positioned to include some amount of occlusion. Any dice-based algorithm would need to ensure the search space for the resulting key was sufficiently large.
The bullet point stating that tripwire was built for "High-ranking officials in businesses/organizations" should be removed, because that group is very unlike the "Developers of critical software", "Investigative journalists", and "Attorneys with high-profile clients" which are also mentioned.
Everybody who had the pleasure to work with "high-ranking officials in businesses/organizations" knows that this group is the one who overrides many technically optimal decisions and thinks internal policies do not apply to them. Their lives are not affected if a device is compromised because they are financially stable and can just blame an intrusion on the IT team.
I’ve slowly been working on building a Honeywell burglar alarm panel (a Vista15P/20P) into part of a Pelican case for travel. I can just stick up sensors where I need them temporarily (a PIR, a glassbreak, a couple motions), and then use an ECP bus decoder (like the old AlarmDecoder board[1]) to kick notifications and alerts out where they need to go with an LTE-connected miniPC/Pi.
When I need to secure an area (eg, vending at a convention at a hotel, locking up the room with stock), I can just pop down the Pelican, plug in the keypad (which doubles as the RF transceiver), stick up sensors, and I’m off to the races.
This isnt a tripwire. This is a canary. You have to actively check a canary. A tripwire would send notifications in real time without the user needing to check.
An evolution of this would be to put a server on a different network, a remote location, and have it pump out warnings the moment movement was detected and/or contact with the "tripwire" system was lost.
But the best way of preventing evil maid attacks remains knowing your hardware. Anyone trying to swap out my laptop, or open it, is going to have a problem replicating my scratch marks, my non-standard OS boot screen, or prying out the glue holding in the ram modules (to prevent cold boot attacks).
I was sure I'd made a comment like this before, but I'd love some sort of home-spun setup like this: https://news.ycombinator.com/item?id=2465687 ...hood, tuck, john. (2x local, 1x remote) which constantly rotated roles as to who was primary/secondary.
Basically core "chaos-infra" for your home setup(s). Hood/Tuck switch between primary and secondary, always trying to stay in touch with "John" (offsite), maybe like a primitive etcd for home automation/monitoring/backup/file-serving. Green==3good, Yellow=degraded[local|remote], Red=single-point-of-failure, Black=off/not-serving.
Other funsie to think about is getting a thumbprint/PIN-locked USB-drive to hold/unlock `~/.passwordstore/*.gpg` so that even on power-outage/reboot you'd need to physically "re-auth" to unlock important secrets.
Something like this would fit nicely into this (imaginary) setup!
I had a professor once ask about the strip of duct tape across the back of my brand new laptop. "Well, thieves cannot pawn electronics with cracked cases. So all my laptops have at least some tape so they think it may be cracked." The next lecture, the prof had a strip of masking tape on his laptop too.
But slap a tux logo and an "i l9ve truecrypt" banner on you device and nobody short of the NSA would even attempt a maid attack.
>Well, thieves cannot pawn electronics with cracked cases
Can't, or they'll get less money? I'm also not sure if I ever saw a laptop with a cracked case before, not to mention macbooks are the most recognizable and can't have cracked cases (because they're aluminum), and other laptops aren't worth stealing because their value drops sharply.
>But slap a tux logo and an "i l9ve truecrypt" banner on you device and nobody short of the NSA would even attempt a maid attack.
truecrypt is actually very susceptible to evil maid attacks because it doesn't use secureboot/tpm, which means all a baddie has to do is installed a backdoored version of truecrypt and wait for you to enter the password.
I think the classic "Detecting unauthorized physical access with beans, lentils and colored rice" [0] approach is simpler to understand and simpler to implement. It doesn't rely on any hardware, such as a Raspberry Pi or otherwise technology which can be more easily subject to scrutiny via Ken Thompson's "Reflections on Trusting Trust".
[0] https://dys2p.com/en/2021-12-tamper-evident-protection.html
https://en.wikipedia.org/wiki/Tripwire_(company)
https://en.wikipedia.org/wiki/Open_Source_Tripwire
It's rather an anti evil maid tool, or an evil maid defense. :)
sorry for being pedantic, but with the arms race within cybersecurity, "anti something defense" sounds like double negation to me.
[0] https://en.wikipedia.org/wiki/Tripwire_(company)
Everybody who had the pleasure to work with "high-ranking officials in businesses/organizations" knows that this group is the one who overrides many technically optimal decisions and thinks internal policies do not apply to them. Their lives are not affected if a device is compromised because they are financially stable and can just blame an intrusion on the IT team.
Why?! Will it will trigger W.O.P.R. and start attempting to brute force missile silo keys?
When I need to secure an area (eg, vending at a convention at a hotel, locking up the room with stock), I can just pop down the Pelican, plug in the keypad (which doubles as the RF transceiver), stick up sensors, and I’m off to the races.
[1] http://www.alarmdecoder.com/
An evolution of this would be to put a server on a different network, a remote location, and have it pump out warnings the moment movement was detected and/or contact with the "tripwire" system was lost.
But the best way of preventing evil maid attacks remains knowing your hardware. Anyone trying to swap out my laptop, or open it, is going to have a problem replicating my scratch marks, my non-standard OS boot screen, or prying out the glue holding in the ram modules (to prevent cold boot attacks).
Basically core "chaos-infra" for your home setup(s). Hood/Tuck switch between primary and secondary, always trying to stay in touch with "John" (offsite), maybe like a primitive etcd for home automation/monitoring/backup/file-serving. Green==3good, Yellow=degraded[local|remote], Red=single-point-of-failure, Black=off/not-serving.
Other funsie to think about is getting a thumbprint/PIN-locked USB-drive to hold/unlock `~/.passwordstore/*.gpg` so that even on power-outage/reboot you'd need to physically "re-auth" to unlock important secrets.
Something like this would fit nicely into this (imaginary) setup!
But slap a tux logo and an "i l9ve truecrypt" banner on you device and nobody short of the NSA would even attempt a maid attack.
Can't, or they'll get less money? I'm also not sure if I ever saw a laptop with a cracked case before, not to mention macbooks are the most recognizable and can't have cracked cases (because they're aluminum), and other laptops aren't worth stealing because their value drops sharply.
>But slap a tux logo and an "i l9ve truecrypt" banner on you device and nobody short of the NSA would even attempt a maid attack.
truecrypt is actually very susceptible to evil maid attacks because it doesn't use secureboot/tpm, which means all a baddie has to do is installed a backdoored version of truecrypt and wait for you to enter the password.
it's called TSME on AMD