Which release should we be using?

[David Manouchehri]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Actually Anthony, you are correct.  It can't be defeated, or at least as
far as I know.  What I was suggesting was to move the vulnerable part
(bootloader and kernel) of the system off to a portable storage device,
so it would be easier to keep an eye on.  You can just bring it with you
wherever you go.  Obviously if somebody gets the storage device that
contains the unencrypted bootloader and kernel, they can modify it.
 
It's just much easier to bring a tiny flash drive with you compared to a
15.4" laptop.  Check out the USB flash drives made by Ironkey, you could
even take those in the shower with you! ;)
 
Hope that clears it up,
 
David Manouchehri   
 
 
On 8/26/2011 5:00 PM, Anthony Papillion wrote:
>
> On 8/26/2011 3:53 PM, David Manouchehri wrote:
>
> > The Evil Maid attack can't really be defeated, but what you can do to
> > help prevent it is encrypt everything, including your /boot. Then,
> > start up from a flash drive that contains a LiveUSB with kexec and
> > whatever encryption program you used; after that you can load the "real"
> > kernel with kexec. Of course, if somebody gets that flash drive it's
> > still the same thing.
>
> Interesting. From what I read on Scheiner's blog and a few other places
> at the time, it seemed like a pretty decent attack and it didn't look
> like it could be defeated since it was a system attack rather than a
> direct attack on the cryptography itself. Of course, we have to look at
> risk too: how likely are most of us to have agents sneaking into our
> house to secretly install software? Some of us might be pretty likely
> though.
>
> So an Evil Maid attack is even possible if your entire hard disk is
> encrypted using TruCrypt isn't it since the bootloader is still exposed
> on an unprotected part of the volume. I see Scheiner suggests using a
> trusted computing model but then that's easy to defeat if they have
> physical access to your machine. So, ultimately, the only real way to
> protect from it is the method you're describing. And, since it's much
> easier to protect a flash drive than an entire computer, it's almost
> infallible.
>
> Thanks for the info!
>
> Anthony
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
 
iQIcBAEBAgAGBQJOWEVaAAoJEBRGiElwwjoZo3MQAKviv+/+QrMEJoF1Nnf/zg1d
6Uv+UFJYLMOQNZpwCAdnWYZsJPTUiHNLZ93CPHMe22v5fqdFYjWCLjSzoX0DE+op
HYvi32WphgB4Zatrju+ilSYUk4IlKq5pj1GcnTKB1OdG7hPXkX5gkHKw9+ak3KwK
Ue6WMxDQPnT5hs1MmrcbkuyLMJiWm8aspxCMEGsjAjGEhnJdjbos5eXc0R2u3P1Y
yNVTe0vbABwat2lVQQAWydMEBPU8IQNTpIehHsI89po/y+EcsG2G2KQddl2QqCnj
ODn8KL6taPdednuuxR/1cUBi0UCitwvLlSvwzB08DUSnt8skbtNjODvdrIEvxNio
RRStoCLSersF1EhZAMaSo267GTDqieUeuO5xQV/Js6IiI/s7L6qJqkXwznmWqEXZ
DqBwyVMFctL4gUGgTYdMDcRjc+1tKuQz4iEBjCTNywXWTl5uW5GJvbS1nu6sxkDW
jC09H93jvCB/qpPl0dKHhma3ig/osQ+44GzGLXUIi/Z4ceak37T33a9Nd9kVVxsJ
KGX2gJfy9v7x/t/C6f27s66dCRpFYvN5jXdbRdKa5lW5u+Qkjez8H3gKXmjblnc6
cFOMSf2zJLN84cF1h5/4MhVFlSTsi74xyNvQlfYJMCget48EGn87S57YknPDyhSP
YG6nhqwPkgILed0SZkWd
=TQtE
-----END PGP SIGNATURE-----