I don't know why I keep hearing of security measures to stop someone sleuthing into bootloaders.
Am I the only person using Linux who isn't James Bond?
[This comment has been deleted by an automated system]
so you never caught a team of government officials in your living room brute forcing your bootloader at 4am as you got up to use the bathroom, huh. Lucky guy.
I’m an engineer with trade secrets on his laptop. I’ve heard of dozens of people getting laptops stolen from their cars that they left for like ten or fifteen minutes.
The chances are slims, but if it happens I’m in deep trouble whether those secrets leak of not. I’m not taking the risk. I’m encrypting my disk.
It’s not like there’s a difference in performance nowadays.
TPM's not going to help with that situation, though, right?
Either you're typing in your encryption password on boot (in which case you don't need TPM to keep your password), or you're not, in which case the thief has your TPM module with the password in it.
From what I understand, TPM is "trusted" because of the fact the secrets it contains are supposed to be safe from an attacker with hardware access.
This is what makes it good at protecting data in case of a stolen laptop. This is also what makes it good at enforcing offline DRM or any kind of system where manufacturers can restrict the kind of software users can run on their hardware.
It's 30% legitimate concern over a non-negligible risk of government overreach, 70% having fun pretending to be James Bond.
I mean, i do have some stuff that i encrypt, but encrypting the folder or packing it on a small partitiin and encrypting only this fs after booting makes more sense to me.
I'm still on the hunt for a desktop Linux distro that has no security features or passwords. My usage for this may not be common but it can't be rare enough that there are zero options
Ubuntu, no encryption, select boot to desktop by default when the system installs.
Like, really?
Still smashing in passwords left and right
Ah so you want the windows 98 experience, root access by default all the time without passwords or extra prompts.
I agree that there should be an easy setting to at least allow updates without password. I installed Manjaro for my mom, after a while she complained "there are updates every day and I need to input the password too many times"
TPM bad, put your secrets on a proper encryption peripheral, like a smartcard running javacardOS
TPM will turn into cpu-bound DRM, the more you use it, the more this cancer will grow
[This comment has been deleted by an automated system]
You are only seeing what TPM is now. Not what TPM will become when it become an entire encrypted computing processor capable of executing any code while inspection is impossible.
Imagine denuvo running at ring level -1
[This comment has been deleted by an automated system]
Yes, it's right in the name "trusted platform module". There is no secret that their ambition is to become a space to run code outside the user's reach and scrutiny.
They start with the most legitimate and innocuous purpose. Once it is adopted and ubiquitous it will not suffer the fate of the other attempts and rotting on the vine.
Then surprise TPM 5.0 become full scale full speed trusted execution environment and it's too late to do anything about it. Eventually , non trusted processing capability will be phased out and only Intel and signed code will run.
Today I learned that I actually set up secure boot properly. Neat!
Trusting some obscure hardware might be a bad idea then.
Why do you need full disk encryption in your day to day life? Are you a secret agent? I feel like that would give you our though.
It's not a matter that I would have nothing to hide, this defense is stupid. It's a matter that you should use a security adapted to your need, because the cost doesn't offset the benefit otherwise. And with disk encryption you will far more often be sorry than happy if you're a normal person.
Full disk encryption is something you really want to have when your computer is lost or stolen.
People are imperfect. People have left laptops full of personal and/or commercially sensitive data on trains or planes, had them stolen from cars and houses etc. Full disc encryption is a defence against data breaches especially for computers that are not bolted down. Or it might be as simple as a person not wanting the embarrassment of their porn stash being found.
[This comment has been deleted by an automated system]
This is why I keep my initrd tattooed as a barcode on my testicles.
"Please teabag the web cam to boot."
There's two types of users, those who write a detailed precise technical answer to the subject, and then there's you
You know, I've been thinking about what I want my first tattoo to be for months, you've just given me a great idea
Kernel upgrades are very... Painful.
I don't know why I keep hearing of security measures to stop someone sleuthing into bootloaders.
Am I the only person using Linux who isn't James Bond?
[This comment has been deleted by an automated system]
so you never caught a team of government officials in your living room brute forcing your bootloader at 4am as you got up to use the bathroom, huh. Lucky guy.
Your government doesn't just hit you with a wrench?
I’m an engineer with trade secrets on his laptop. I’ve heard of dozens of people getting laptops stolen from their cars that they left for like ten or fifteen minutes.
The chances are slims, but if it happens I’m in deep trouble whether those secrets leak of not. I’m not taking the risk. I’m encrypting my disk.
It’s not like there’s a difference in performance nowadays.
TPM's not going to help with that situation, though, right? Either you're typing in your encryption password on boot (in which case you don't need TPM to keep your password), or you're not, in which case the thief has your TPM module with the password in it.
From what I understand, TPM is "trusted" because of the fact the secrets it contains are supposed to be safe from an attacker with hardware access.
This is what makes it good at protecting data in case of a stolen laptop. This is also what makes it good at enforcing offline DRM or any kind of system where manufacturers can restrict the kind of software users can run on their hardware.
It's 30% legitimate concern over a non-negligible risk of government overreach, 70% having fun pretending to be James Bond.
I mean, i do have some stuff that i encrypt, but encrypting the folder or packing it on a small partitiin and encrypting only this fs after booting makes more sense to me.
I'm still on the hunt for a desktop Linux distro that has no security features or passwords. My usage for this may not be common but it can't be rare enough that there are zero options
Ubuntu, no encryption, select boot to desktop by default when the system installs.
Like, really?
Still smashing in passwords left and right
Ah so you want the windows 98 experience, root access by default all the time without passwords or extra prompts.
Maybe setting auto login and sudo without password can be almost enough? https://askubuntu.com/questions/147241/execute-sudo-without-password
I agree that there should be an easy setting to at least allow updates without password. I installed Manjaro for my mom, after a while she complained "there are updates every day and I need to input the password too many times"
TPM bad, put your secrets on a proper encryption peripheral, like a smartcard running javacardOS
TPM will turn into cpu-bound DRM, the more you use it, the more this cancer will grow
[This comment has been deleted by an automated system]
You are only seeing what TPM is now. Not what TPM will become when it become an entire encrypted computing processor capable of executing any code while inspection is impossible.
Imagine denuvo running at ring level -1
[This comment has been deleted by an automated system]
Yes, it's right in the name "trusted platform module". There is no secret that their ambition is to become a space to run code outside the user's reach and scrutiny.
They start with the most legitimate and innocuous purpose. Once it is adopted and ubiquitous it will not suffer the fate of the other attempts and rotting on the vine.
Then surprise TPM 5.0 become full scale full speed trusted execution environment and it's too late to do anything about it. Eventually , non trusted processing capability will be phased out and only Intel and signed code will run.
Today I learned that I actually set up secure boot properly. Neat!
Trusting some obscure hardware might be a bad idea then.
Why do you need full disk encryption in your day to day life? Are you a secret agent? I feel like that would give you our though.
It's not a matter that I would have nothing to hide, this defense is stupid. It's a matter that you should use a security adapted to your need, because the cost doesn't offset the benefit otherwise. And with disk encryption you will far more often be sorry than happy if you're a normal person.
Full disk encryption is something you really want to have when your computer is lost or stolen.
People are imperfect. People have left laptops full of personal and/or commercially sensitive data on trains or planes, had them stolen from cars and houses etc. Full disc encryption is a defence against data breaches especially for computers that are not bolted down. Or it might be as simple as a person not wanting the embarrassment of their porn stash being found.