undefined | Better HN

0 pointsbri3d2y ago0 comments

An attacker still needs to use some kind of semi-advanced attack in the boot chain or DMA to steal the user's data, instead of just plugging in a LiveUSB and going to town.

Yes, there are a lot of vulnerabilities in the Secure Boot process on most devices, because the surface area is huge, but the attacker still needs _some sort_ of vulnerability to gain a foothold.

I agree with the frustration in the gist - Secure Boot and TPM-sealed disk encryption aren't nearly as good as they could be, because the surface area is gigantic and sure to get exploited. But this is a classic Security Nerd vs Reality scenario: while it is absolutely _possible_ to pwn Secure Boot + TPM-sealed encryption in almost any scenario, using it still makes it _much harder_ for an attacker to do so, and most will give up.

0 comments

AnthonyMouse2y ago

For the typical user, losing their data is a greater risk than someone with physical control over their machine being able to access it. The logic board in your computer fails or you forget your password and all your data is gone.

And the default way of mitigating it is an even worse security risk. Now all your data is on some cloud somewhere, waiting for that vendor to get breached or your account to get phished which is now possible without physical control over your device. Plus, if you couldn't get into your computer because you lost access to your account, you also lost access to the data in the cloud.

Whereas if you really do have sensitive data, you still don't need a TPM and get better security without one. You keep a Yubikey in your pocket or memorize a strong passphrase and then the key physically isn't stored on your device.

nine_k2y ago

If your data is this valuable, you certainly do backups? I suppose something like cloud backups is now built-in into windows, and would save your Documents (and maybe more) also by default.

AnthonyMouse2y ago

We're talking about ordinary people here. Their data is valuable to them because it's their pictures of their grandkids and their draft of the Great American Novel and their recipe collection. They're not backing it up themselves, they don't even know how.

But it's also their copy of all their bank statements that include their routing number, which nobody who is physically in their house is going to use against them but is a serious fraud risk if it can be accessed remotely on some cloud.

candiodari2y ago

Windows backups are subpoenable by half the governments on the planet, who have bad actors in them, and may also have exploits for dedicated attackers because they present a huge target.

1 more reply

j / k navigate · click thread line to collapse

0 pointsbri3d2y ago0 comments

An attacker still needs to use some kind of semi-advanced attack in the boot chain or DMA to steal the user's data, instead of just plugging in a LiveUSB and going to town.

Yes, there are a lot of vulnerabilities in the Secure Boot process on most devices, because the surface area is huge, but the attacker still needs _some sort_ of vulnerability to gain a foothold.

0 comments

AnthonyMouse2y ago

nine_k2y ago

If your data is this valuable, you certainly do backups? I suppose something like cloud backups is now built-in into windows, and would save your Documents (and maybe more) also by default.

AnthonyMouse2y ago

candiodari2y ago

Windows backups are subpoenable by half the governments on the planet, who have bad actors in them, and may also have exploits for dedicated attackers because they present a huge target.

1 more reply

j / k navigate · click thread line to collapse