Hacker News new | past | comments | ask | show | jobs | submit login

Thesis: it is possible that someone may access your laptop without you knowing if you leave it unattended.

Experiment: after having gone through a number of - some meaningless[1] - attempts to be able to proof that this happened, there was no evidence it happened.

Doubt: did it happen nonetheless without leaving any trace ot it din't actually happened at all?

Bonus: the experimenter learned that NVRAM exists in the stupid UEFI firmware

Conclusion: None worth mentioning, but be very aware of what the terrible evil maids can do, and do use the recommended Android app to defend against them.

[1] Hashing a whole hard disk is only a "positive" proof, if the hashes correspond nothing changed, but it is very possible that the hashes change because of any filesystem or disk issue if the system is used, so the method is pointless in the real world, where people bring with them a laptop in order to use it.




>Thesis: it is possible that someone may access your laptop without you knowing if you leave it unattended.

This is known to be true, this experiment was about seeing if anyone would access this laptop. Which also addresses what you view as meaningless, real world scenarios are trying to avoid their laptop being compromised while the author was hoping that it would.


I know that it is true, it is actually a truism.

The "experiment" has too few data points to be meaningful, and the proposed way to verify remains meaningless, two simple cases:

1) the evil maid simply makes a forensic image of the disk

2) a sector in the hard disk goes bad

Case 1: there was an intrusion, all the data was stolen, but the hashes do not show that (false negative)

Case 2: there was NOT any intrusion, but the hashes show that there was a change (false positive)


>The "experiment" has too few data points to be meaningful, and the proposed way to verify remains meaningless, two simple cases:

This isn't science, we know this is possible and the "experiment" was to try and find examples of it happening.

A false negative is always assumed, it is impossible to know you haven't been compromised. A false positive is meaningless as finding a change is only the first step. You then need to analyze what the change is, and if you can't pin down what has been compromised you're just back to the default state of unaware.

This is a honeypot. If you leave your honeypot and return to an empty one, you're pretty sure a bear is around but can't do anything. If you find a bear with their paws in the pot, you don't need to run the experiment again to prove there's a bear.


A forensic image of the encrypted disk is useless (assuming strong passphrase, no bugs, etc.). The article is about the risk that an "evil maid" injects software/firmware into his laptop that presents the expected UI but secretly logs everything he types, and does something bad with that information later.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: