Security notes - security for the everyday person: Difference between revisions
Jump to navigation
Jump to search
(One intermediate revision by the same user not shown) | |||
Line 64: | Line 64: | ||
==Is it important to encrypt...=== | ==Is it important to encrypt...=== | ||
===Is it important to encrypt my laptop or phone?== | ===Is it important to encrypt my laptop or phone?=== | ||
<!-- | <!-- | ||
tl;dr: | tl;dr: | ||
* if you think | * if you think it'll get stolen specifically for the data on it, sure | ||
* it helps against some [[evil maid]] style attacks | |||
* if you think a not-specifically-interested thief might still poke around, and want peace of mind that they can't, yes | |||
:: it's not hard to lose a phone | |||
* do not assume encrypted devices do much against law enforcement, | * do not assume encrypted devices do much against law enforcement, | ||
:: in that in a lot of places, you are more or less ''required'' to give them access somehow, and your refusal will have implications | :: in that in a lot of places, you are more or less ''required'' to give them access somehow, and your refusal will have implications | ||
* if you want to sure that after the next reboot people will have a ''hard'' time getting in, yes. | |||
: '''but''' If it's still on, you might be protected by nothing other than screen lock | |||
Line 79: | Line 88: | ||
{{comment|(and unlike most other kinds of devices, not taking them there ''defeats their point'' so people just ''will do that'')}}. | {{comment|(and unlike most other kinds of devices, not taking them there ''defeats their point'' so people just ''will do that'')}}. | ||
But also that more design went into | |||
Line 140: | Line 150: | ||
--> | --> | ||
==Is it important to encrypt my PC?== | ===Is it important to encrypt my PC?=== | ||
<!-- | <!-- | ||
tl;dr: | |||
: if you think it'll get stolen specifically for the data on it, yes. | |||
: it helps against some [[evil maid]] style attacks | |||
: if you | : if you think a not-specifically-interested thief might still poke around, and want peace of mind that they can't, yes | ||
: yet practically | : yet practically | ||
:: people don't generally take their PCs anywhere - LAN parties happen... less than since the nineties | :: people don't generally take their PCs anywhere - [[LAN parties]] happen... less than since the nineties | ||
:: the first two of the above assumes you are a person of interest, and someone is taking the time specifically on you | |||
:: even theft by non-interested people is not too much threat. Yes, they could poke around, but chances are that they or the next owner will just reinstall the thing. | :: even theft by non-interested people is not too much threat. Yes, they could poke around, but chances are that they or the next owner will just reinstall the thing. | ||
Line 163: | Line 175: | ||
:: ...or other things | :: ...or other things | ||
* added disks would have to be separately encrypted | * added disks would have to be separately encrypted | ||
--> | |||
<!-- | |||
===Is it important to have secure boot / Trusted Execution features / pre-boot authentication=== | |||
It depends on your threat model. | |||
Each of these helps in different ways, | |||
but none of them may be overly relevant. | |||
Say, if you have full disk encryption, physical access does not immediately get people into that data, | |||
but you might care about an [[evil maid]] style attack -- someone tampering with an unattended device, | |||
in this case e.g. to get you to type a password into something that is something else. | |||
Secure boot help ensure you are typing a password into the right thing. | |||
At least, it ups the stakes of the attack - which would now have to replace ''firmware'', | |||
which is very high-effort (complex and model-specific). | |||
Trusted execution | |||
Pre-boot authentication e.g. disables drive reads until, | |||
it e.g. means people cannot boot a liveUSB environment without ''you'', | |||
but neither of these things adds anything when you use full-disk encryption anyway. | |||
Pre-boot auth | |||
Full disk encryption ups the | |||
However, if the device is password protected, as with full disk encryption, the firmware of the device needs to be compromised, usually done with an external drive | |||
Revision as of 15:12, 27 June 2024
Security related stuff.
Securing services
Unsorted - · Anonymization notes · website security notes · integrated security hardware · Glossary · unsorted |