←back to thread

Intel OEM Private Key Leak: A Blow to UEFI Secure Boot Security

(securityonline.info)
658 points transpute | 4 comments | 06 May 23 17:39 UTC | HN request time: 1.016s | source
Show context
josephcsible ◴[06 May 23 19:00 UTC] No.35844339[source]
This isn't a blow to real security, just to DRM and treacherous computing. There's no legitimate security from "Secure" Boot.
replies(2): >>35844366 #>>35845021 #
bawolff ◴[06 May 23 19:03 UTC] No.35844366[source]
Evil maids?
replies(6): >>35844387 #>>35844545 #>>35844816 #>>35845120 #>>35845414 #>>35849808 #
Filligree ◴[06 May 23 19:05 UTC] No.35844387[source]
How many of us have maids? How many of those maids are evil?
replies(3): >>35844414 #>>35848100 #>>35865747 #
ghostpepper ◴[06 May 23 19:07 UTC] No.35844414[source]
"Evil maid" is a generic descriptor for any number of attacks that can be performed with physical access to a device.

https://en.wikipedia.org/wiki/Evil_maid_attack

"The name refers to the scenario where a maid could subvert a device left unattended in a hotel room – but the concept itself also applies to situations such as a device being intercepted while in transit, or taken away temporarily by airport or law enforcement personnel. "

replies(3): >>35844820 #>>35845994 #>>35848125 #
1. ngneer ◴[07 May 23 05:10 UTC] No.35848125[source]
I genuinely hate this "cute" yet condescending name. Maids are on the low skill low wage end of the spectrum. Even if there is a motive to mount a physical attack, possibly a targeted one, it will either be performed by a person impersonating a maid or with the help of an operator giving instructions. So, either an "evil" maid who is not really evil, or an evil "maid" who is not really a maid. Contrived, inaccurate and demeaning.
replies(1): >>35850270 #
2. bawolff ◴[07 May 23 11:25 UTC] No.35850270[source]
This seems to sell maids a little short. I'm sure maids are just as capable of being script kiddies as anyone else.
replies(1): >>35860727 #
3. account42 ◴[08 May 23 12:16 UTC] No.35860727[source]
Most people don't choose low paying physically demanding jobs when they can paste together stack overflow answers.

That said, "Evil Maid" fits here because of that - they are no someone that you expect to need technical protections from but theoretically they could be a genious adversary or just hired by one.

replies(1): >>35881808 #
4. ngneer ◴[09 May 23 23:45 UTC] No.35881808{3}[source]
I tend to agree with your analysis. But that is precisely my beef with the term. You seem to be saying that the term fits _because_ it describes a population that violates security expectation, _because_ it is "generally not smart, except for theoretical surprises" or "easy to hire for nefarious purpose". Neither one is very flattering, neither one equates to "evil" and neither one applies specifically to maids. A neutral term would have been an "adversary with temporary physical access" but that is not nearly as catchy.