[dosshell]

10 years ago i was working at in a shared office where companies could hire a room. We all had a common lunch place and shared microwaves.

There I met two security nerds. They never shutdown their computers and if it happened, they did a full format and reinstalled the os - because if security.

They spoke with passion about security fixes they made in the vpn client that no other had.

They got many requests regularly from others that they should add there server as an endpoint - and they sad always no. All endpoints must be 100% secure by their knowledge. Never trust anyone.

If they had to leave a laptop they used some old coffee paper trick so that one could not open the lid without visible marks.

I was super impressed by them and have never met any like them. I guess they have grown out of their tiny office now, Mullvad.

[oceanplexian]

I would think you'd do the exact opposite.

If you leave a computer running anyone (Well "anyone" being a skilled adversary) can simply pull out the RAM and grab encryption keys in clear text. Law enforcement does this so often, it's practically routine. The only "safe" system is one that has been long powered off and is using tried and true cryptography, ideally open-source FDE that's been fully audited.

[gzer0]

Mullvad is fully open source, with the source code provided here [1], which has also undergone multiple rounds of audits with the reports available to the public [2][3].

[1] https://github.com/mullvad

[2] https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leak...

[3] https://cure53.de/pentest-report_mullvad_2021_v1.pdf

[OJFord]

It's a shame the API isn't open though. I maintain a Terraform provider for it, but it has to come with a fat warning that it can break due to (reversed) API changes, and that fixing it may require breaking changes or even not be feasible etc.

[WhitneyLand]

It’s practically routine for law enforcement to extract encryption keys from RAM, since when?

I’ve only heard of it being done by researchers and/or special situations.

Is this just speculation?

[vladvasiliu]

> can simply pull out the RAM and grab encryption keys in clear text

Leaving aside the leg work "simply" does here, especially in a coffee shop environment: would AMD's "encrypted memory" help against these kinds of attacks?

I have a laptop with an AMD Zen 3 Pro CPU that has this option in the BIOS and was wondering whether it actually did any good, as opposed to being just some marketing shtick.

[RainaRelanah]

Interesting, I didn't know this was a thing, but after some cursory research it does seem like part of its use case is to stop this attack vector.

[Kototama]

FDE is not enough against physical access, see the evil maid attack.

[oceanplexian]

Well obviously, FDE also doesn't protect you if someone is standing over your shoulder reading you type the password. The point is that leaving a machine turned on, while not in your physical possession puts all of your data at risk. My company would freak if I did this and I don't even work in the security space.

[Kototama]

As you know, the evil maid attack is something different. It's better to be precise and not give a false-sense of security to readers who may be less informed about this subject.

[codewiz]

Full disk encryption won't prevent "evil maid" attacks where keylogging hardware is interposed between the keyboard and the main board, or the entire board is swapped with one with firmware enabling remote "management".

[matheusmoreira]

> pull out the RAM and grab encryption keys in clear text

How to defend against this?

[sodality2]

Shut down your device, don't leave it on at all times. I don't know if there's a way to suspend and encrypt RAM though. But other than that, there's no way to keep a computer running without the miscellaneous data being kept in RAM

[deno]

Besides memory encryption (AMD PRO & Epyc) you can zero-out in-use memory keys before suspend & restore on resume, preferably using sealed storage, like TPM. This is ‘the’ reason to prefer home encryption vs. full disk. The thing is if someone is prepared to attack your laptop with liquid nitrogen they might as well just wait for you to unlock your laptop and then steal it right there, or watch you type in your password; better get your privacy blanket ready ;) Not having physical security is a huge disadvantage, and there’s really no way around it—you automatically start in the defeated position, and have to stack gizmos just to break even.

[goodpoint]

there are methods to store keys in RAM in encrypted form and decrypt them only on the cache and CPU registers

[brobinson]

Talked about a bit here: https://youtu.be/pKeiKYA03eE?t=963

Using debug registers to hold an AES key purely in the CPU is genius.

[tenebrisalietum]

What if I have some sort of trigger (accelerometer attached to a door connected to a serial port, for example) that makes the system kexec to memtest86 before the system is taken?

[goodpoint]

> pull out the RAM

...which could be soldered. Plus, there are methods to store keys in RAM in encrypted form and decrypt them only on the cache and CPU registers.

[hatware]

> simply pull out the RAM

One does not simply pull out the RAM

[gavinray]

  > "They never shutdown their computers and if it happened, they did a full format and reinstalled the os - because if security."

I don't get it

[dosshell]

I don't recall why, it was so long time ago. But my best guess is that they wanted to guarantee that they know what has been booted?

[brobinson]

The sibling comment already mentioned evil maid attacks (not as much of an issue nowadays thanks to SecureBoot and TPMs), but there's also DMA attacks through physical ports: https://en.wikipedia.org/wiki/DMA_attack

[justsomehnguy]

Offline attack aka Evil Maid

[Rastonbury]

What is the coffee paper trick?

[LanternLight83]

It must be attached such it tears when opened, tamper-evident- similar techniques are common fro doors, either across the frame or more stealthily near the hinge. You want it to be a little stealth because an informed adversary could break the seal, remove it, and be prepared to replace/recreate it when they're done (like faking a new wax seal)

[cma]

Maybe overspray some spraypaint on the paper first and take a picture of the droplet pattern, so it can't be replaced easily.

[dosshell]

spot on, but they used coffee to make a unique pattern.