-
-
Notifications
You must be signed in to change notification settings - Fork 210
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add hardware section #1939
Add hardware section #1939
Conversation
✅ Deploy Preview for privacyguides ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
Can I recommend explicitly stating the term "Juice Jacking" (ideally with a link to an article talking about it) so the user can further research the attack vector? For example: |
Sure, thanks for the link |
This pull request has been mentioned on Privacy Guides. There might be relevant details there: https://discuss.privacyguides.net/t/please-add-hardware-recomendation-section-all-categories/11616/2 |
Think I'm going to remove the faraday cage part since a lot of products that claim to be faraday bags/cages are scams. Also it's really easy to accidentally leave a gap big enough for the waves to escape, defeating the whole point. |
Some valid points were brought up on the forum, I'll revise a bit. |
@mfwmyfacewhen :( may I ask why? We've gone though extensive efforts to transparently demonstrate the forensic efficacy |
The presence detection in Windows (and Linux now it seems) is a lot more covert and comes with the OS. Correct me if I'm wrong, but the use case seems to be in a public place where you might get your laptop stolen. Having a strap on your wrist would seemingly make you more of a target. Also presence detection works without requiring the user to remember to put something on, whereas with buskill the user needs to remember to put it on every time. |
Sorry, I strongly disagree with only recommending "presence detection" tech. High-risk users should be either physically disabling their cameras or covering them. Also, biometrics should be used as usernames, not passwords. I'm all for telling users all their options, but if we recommend presence detection then we should clearly note the risks and limitations of this technology (and, of course, I'd ask you to do the same with BusKill). For some people, one is better than the other. And vice-versa. It depends on the reader's risk model, and we should allow them to make that decision for themselves.
Public places is one use-case, but it's also used by journalists, activists, and human rights defenders working in private offices in oppressive countries who may have their office suddenly raided. BusKill is open-source so it can be designed however you want, but we recommend clipping a carabiner to your belt loop, not to your wrist. If you're using it in a public place, it's as inconspicuous as your device's power cable. I've never used this OS presence detection, but I doubt it's comparable to the capabilities of BusKill. With BusKill, you can have it lock your machine. Or you can have it shutdown your machine. Or you can (currently just for Linux), have it wipe your FDE header (thereby making the encrypted data permanently inaccessible, even to rubber-hose cryptanalysis). This (destroying the master encryption key) is really the only solution for high-risk users like journalists, activists, and human rights defenders working in oppressive countries (to protect their sources). |
@ph00lt0 tried my best to go over encrypted drives, could you take a look and let me know if you see anything wrong? |
I am so sorry for being unresponsive. I am currently working around 11 hours a day if not more, so extremely occupied. I will try to have a look on the weekend, this is on my list. |
Don't worry about it if you're busy, I'll get others on the team to look at it. |
+1 vote for this |
This pull request has been mentioned on Privacy Guides. There might be relevant details there: https://discuss.privacyguides.net/t/move-or-remove-freedombox/11774/2 |
67e4d9a
to
2150385
Compare
fb1d227
to
ef532b6
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It might also be a good idea to mention Windows 11 secured-core PCs for a higher baseline of hw security features.
They're obviously advantageous for Windows users, but also for users of alternative operating systems: for example DMA protection and ability to completely distrust Microsoft certificates are two things they might still be interested in.
@mfwmyfacewhen I think it's important to link-to glitter nail polish as it's one of the best tamper-evident solutions. After all, this is a hardware privacy guide. We should focus on hardware solutions. And Secure Boot cannot detect hardware tampering. Anyway, with Secure Boot there's an enormous attack vector because the private keys are owned by OEMs (many of which have a very bad history of key management practices). Some Operating Systems intentionally don't sign their releases with Secure Boot. Indeed, Secure Boot is not very Secure. |
Thanks for the input, my thought process was that the nail polish thing is quite human error-prone. I can easily imagine someone who's very paranoid staring at two images of the nail polish and imagining differences where there aren't any, or someone not very observant not noticing the differences. It also relies on the person to check it regularly, which I think after a while most people just won't bother. I figured if you don't want anyone to get into your laptop, then you should probably just avoid leaving it unattended in the first place. I agree that the way secure boot is implemented most of the time it has its issues, but it's better to have it then not (if the OS supports it) and it can prevent a more common attack vector I think than hardware tampering: malware installed via a USB. I'm not sure what to call it when only signed firmware is allowed to run, Apple calls it secure boot, android seems to call it verified boot. There seems to be a problem with standardizing the names here lol. Whatever it is, maybe that should be recommended instead. |
Usually this is done before traveling. Or when shipping a laptop (eg from employer to remote-working employee). Most people traveling (eg for work) carry a laptop with them, and it's an unfortunately common-enough practice for customs agents to take your device away from you (either to image it or to install malware). In any case, it's not an issue of just "leaving it unattended". We should be writing this guide for at-risk users who need privacy tools because they find themselves operating in an oppressive regime where they may not have the ability to keep their devices in their sight at all times.
The Blink Comparison app was designed specifically for this purpose The best thing to do is to use technology to avoid human error :)
I'm not advocating that we remove Secure Boot. I just think we shouldn't only recommend Secure Boot -- especially because there's better options out there to detect hardware tampering. I hope you'll consider re-adding the glitter fingernail polish link and Heads. |
I think we might need to mention that using custom secure boot keys is the best way to increase security there (or at least enrolling a MOK). Like with all things though user action generally is required to reach higher degrees of assurance/security. There is no reason you can't use secure boot with Qubes OS, but you'd need to sign the kernel, bootloader manually. The process for doing that though is the same regardless of whether you use Windows, Linux, or Qubes OS. I do think Linux will get there in regard to Trusted Boot but there really hasn't been reliable tools to make use of the system. I'm looking forward to the focus on UKI because up until now initramfs images usually aren't signed on any distribution. Tools like |
Resolves #1899, resolves #1989, resolves #1864