This here is a stronger motivator than any other motivator mentioned in all other comments posted. And "journalist" will include anyone who has the "wrong" memes on their machine.
The more inexpensive option of the newer Trezor wallets and "login PIN" as an optional alternative to a password that also works, seems to be the best option (that I have seen so far).
The more recently released Trezor wallets are still new, and Yubikey 5C will probably be used in many places anyway just because of the keyring and no need for the usb-c cable.
> vs. FDE with a boot key stored in some cloud service secured with the user's password instead of a TPM
Without secure boot (backed by TPM), I can boot a small USB device that has LEDs on it to indicate to me that the target system has been infected to send me a copy of the target's password, after I already imaged the disk (or when I have another team member steal it or take it by force later).
If there's a UEFI password to access UEFI settings, I can reset it in under 20 minutes with physical access. Some tamper-evident tape on the laptop casing may stop me if I haven't already had a resource intrude into the target's home/office to have some replacement tamper-evident sticker material ready. Very very few places, even some really smart ones, make use tamper-evident material. Glitter+glue tamper-evident seals are something I can't spoof though.
It's not that hard to get into a hotel room. Often enough if a business books a hotel for you it's because they want access to your laptop while you're at lunch with another employee who so kindly suggests to leave your backpack in the hotel room.
disclaimer: all above is fictional and for educational and entertainment purposes only
> Without secure boot (backed by TPM), I can boot a small USB device that has LEDs on it to indicate to me that the target system has been infected to send me a copy of the target's password, after I already imaged the disk (or when I have another team member steal it or take it by force later).
Which is the same thing that happens with secure boot, because they just steal the whole device and leave you one that looks the same to enter your password into so it will send it to them.
Meanwhile if you're using tamper-evident materials then you don't need secure boot, because then they can't undetectably remove the cover to get physical access to remove your UEFI password or image the machine.
Thank you for prompting attention to the switcheroo.
This angle of attack is generally unheard of, but should be considered. I can think of some mitigations that can work.
Tamper-evident materials are well-known by the crowds that will target users. There are many criminals among us, so many that those who don't have criminal psychology have a hard time wrapping their mind around it. Given this, I am cynical, and every defense within reasonable cost should be leveraged.
I agree. TPM defends against the most likely threat that typical users are facing. And, where users that are individually targeted, the theft/robbery will more often than not be designed to appear "random".
Because TPM sniffers are now at a material cost of about $15 and can be acquired for a price at under $200, more than a TPM is needed for data encryption, especially for users like a CEO. This is why a firm I used to work for encrypted the key that could unlock user data with both TPM plus Yubikey.
> there is no standardisation in connectors, pinout, or bus type when it's not soldered onto the board. I have three motherboards with plug-in TPMs and each required a different, unique part that was difficult to source.
We have had "FDE" and secure boot with TPM in higher-than-commercial (defense) and the higher end of commercial settings for Linux, BSD, and illumos since TPM 1.2 was available, and I'd have to dig in some places to confirm but probably before Windows did in actual practice anywhere (let alone officially).
Yeah, Debian/Ubuntu, Fedora, etc didn't have this, but as the saying goes: you get what you pay for. Although enough of the Gentoo users (the real Gentoo users) have such a thing had it around that time too, if they wanted it (and they tend to put together what they want).
Some essential context: if you think the "Linux community" is elitist, wait until you see the niche commercial (and higher) players. I'm probably an example of such, to be fair.
In a legal context, and also the real world sans a legal context, words do have meaning and words do matter. I don't see anything in the article that Spafford terrorized anyone.
Whether Spafford intended to terrorize anyone in the future is another matter, and a matter of legitimate and serious concern. But we must not confuse this with "terrorized" (past tense) if we are going to discuss the matter in a sane and sober way.
