Of Encrypted Hard Drives and "Evil Maids"

Schneier has a blog piece about Joanna Rutkowska's "evil maid" attack, demonstrated earlier this month against TrueCrypt. "The same kind of attack should work against any whole-disk encryption, including PGP Disk and BitLocker. ... [A] likely scenario is that you leave your encrypted computer in your hotel room when you go out to dinner, and the maid sneaks in and installs the hacked bootloader. ... [P]eople who encrypt their hard drives, or partitions on their hard drives, have to realize that the encryption gives them less protection than they probably believe. It protects against someone confiscating or stealing their computer and then trying to get at the data. It does not protect against an attacker who has access to your computer over a period of time during which you use it, too."

Best security

[Luxifer]

The best security is to pick an obscure poison. Take it in small doses until you're immune. Coat the keyboard with it. Better yet, get a keyboard that automatically dispenses the poison.
Evil maid now equals dead maid.

My only problem is, now that the maid is dead, who's gonna hide the body?

Re:Fine line between security and paranoia

[swb]

You know they've run extortion against business guys, politicians and bureaucrats for years using all manner of hired female talent.

The gimmick is Bob the Middle Manager & Happily Married Guy on video cornholing some girl, or even better, a boy. This is used as leverage to control Bob so he can be a mole, giving you valuable info, inside access, etc.

This beats trojaning his computer as you now have a live operator inside the organization who will do anything to keep his wife/boss/kids from finding out his a cheat or a homo.

Re:Bitlocker?

[MikeBabcock]

This is one of the reasons I've always supported trusted computing -- even though many other F/OSS people see it as evil. Trusted computing lets me have some control over what runs on my own hardware, and helps to prevent against this type of attack vector.