Most active commenters
  • bawolff(3)

←back to thread

Intel OEM Private Key Leak: A Blow to UEFI Secure Boot Security

(securityonline.info)
658 points transpute | 14 comments | 06 May 23 17:39 UTC | HN request time: 0.001s | source | bottom
Show context
josephcsible ◴[06 May 23 19:00 UTC] No.35844339[source]
This isn't a blow to real security, just to DRM and treacherous computing. There's no legitimate security from "Secure" Boot.
replies(2): >>35844366 #>>35845021 #
bawolff ◴[06 May 23 19:03 UTC] No.35844366[source]
Evil maids?
replies(6): >>35844387 #>>35844545 #>>35844816 #>>35845120 #>>35845414 #>>35849808 #
1. Filligree ◴[06 May 23 19:05 UTC] No.35844387[source]
How many of us have maids? How many of those maids are evil?
replies(3): >>35844414 #>>35848100 #>>35865747 #
2. ghostpepper ◴[06 May 23 19:07 UTC] No.35844414[source]
"Evil maid" is a generic descriptor for any number of attacks that can be performed with physical access to a device.

https://en.wikipedia.org/wiki/Evil_maid_attack

"The name refers to the scenario where a maid could subvert a device left unattended in a hotel room – but the concept itself also applies to situations such as a device being intercepted while in transit, or taken away temporarily by airport or law enforcement personnel. "

replies(3): >>35844820 #>>35845994 #>>35848125 #
3. guilhas ◴[06 May 23 19:54 UTC] No.35844820[source]
Still, how real of a threat that is for 99% of computer users?

And law enforcement will have a device to bypass most devices security

replies(3): >>35844989 #>>35845472 #>>35848215 #
4. Avamander ◴[06 May 23 20:14 UTC] No.35844989{3}[source]
> And law enforcement will have a device to bypass most devices security

What makes you say that and how is that an excuse to do nothing?

replies(1): >>35850406 #
5. bawolff ◴[06 May 23 21:23 UTC] No.35845472{3}[source]
Its definitely on the high end of attacks and a bit unlikely, but i dont think its exclusively nation states. Well within the reach of thieves who want to steal your bank info or something.
6. codedokode ◴[06 May 23 22:40 UTC] No.35845994[source]
With physical access you can simply install a keylogger, GPS tracker, and maybe something worse (malicious PCI-Express or USB device for example).
7. zirgs ◴[07 May 23 05:04 UTC] No.35848100[source]
Pretty much all offices have them.
8. ngneer ◴[07 May 23 05:10 UTC] No.35848125[source]
I genuinely hate this "cute" yet condescending name. Maids are on the low skill low wage end of the spectrum. Even if there is a motive to mount a physical attack, possibly a targeted one, it will either be performed by a person impersonating a maid or with the help of an operator giving instructions. So, either an "evil" maid who is not really evil, or an evil "maid" who is not really a maid. Contrived, inaccurate and demeaning.
replies(1): >>35850270 #
9. bawolff ◴[07 May 23 11:25 UTC] No.35850270{3}[source]
This seems to sell maids a little short. I'm sure maids are just as capable of being script kiddies as anyone else.
replies(1): >>35860727 #
10. guilhas ◴[07 May 23 11:50 UTC] No.35850406{4}[source]
To prevent against a evil maid attack you would need to encrypt your drive

In case of a malfunction, you risk loosing all your data

Threat actors and law enforcement can bypass it

UEFI threats moving to the ESP: Introducing ESPecter bootkit https://www.welivesecurity.com/2021/10/05/uefi-threats-movin...

11. account42 ◴[08 May 23 12:16 UTC] No.35860727{4}[source]
Most people don't choose low paying physically demanding jobs when they can paste together stack overflow answers.

That said, "Evil Maid" fits here because of that - they are no someone that you expect to need technical protections from but theoretically they could be a genious adversary or just hired by one.

replies(1): >>35881808 #
12. lostmsu ◴[08 May 23 19:07 UTC] No.35865747[source]
Do you take your laptop with you when going to a Starbucks restroom?
replies(1): >>35869866 #
13. josephcsible ◴[09 May 23 03:30 UTC] No.35869866[source]
...Yes? Not because of the risk of evil maid attacks, but because of the risk someone will just steal it.
14. ngneer ◴[09 May 23 23:45 UTC] No.35881808{5}[source]
I tend to agree with your analysis. But that is precisely my beef with the term. You seem to be saying that the term fits _because_ it describes a population that violates security expectation, _because_ it is "generally not smart, except for theoretical surprises" or "easy to hire for nefarious purpose". Neither one is very flattering, neither one equates to "evil" and neither one applies specifically to maids. A neutral term would have been an "adversary with temporary physical access" but that is not nearly as catchy.