What is Anti Evil Maid?

Can you quickly summarize it in easy words?

Anti Evil Maid basically lets you know if there were any unauthorized changes to your system, such as if there was an evil maid attack.

And can you recommend installing it? I wonder why it isn’t installed by default if it increases security.

Anti Evil Maid is not just a straight-forward security upgrade. There are some security considerations/tradeoffs to take into account before setting it up. Anti Evil Maid requires connecting a USB device to dom0 which is generally not recommended because it is a potential security risk.
From the Anti Evil Maid documentation https://www.qubes-os.org/doc/anti-evil-maid/:

This presents us with a classic security trade-off: each Qubes user must make a choice between protecting dom0 from a potentially malicious USB drive, on the one hand, and protecting the system from Evil Maid attacks, on the other hand.

Thank you! For what kind of person could AEM be suitable, and for what kind rather not?

as @tech3599 sad

The documentation for Anti Evil Maid goes into more depth:

For example, a user who frequently travels with a Qubes laptop holding sensitive data may be at a much higher risk of Evil Maid attacks than a home user with a stationary Qubes desktop. If the frequent traveler judges her risk of an Evil Maid attack to be higher than the risk of a malicious USB device, she might reasonably opt to install and use AEM. On the other hand, the home user might deem the probability of an Evil Maid attack occurring in her own home to be so low that there is a higher probability that any USB drive she purchases is already compromised, in which case she might reasonably opt never to attach any USB devices directly to dom0.

Why exactly is the risk higher when traveling?
A possible option would be to have a mobile router.

This is only a question you can answer based on who you are and who your potential adversaries are and what their capabilities and motivations are.

When you mention mobile router, I’m not sure you understand yet what AEM is. This is to protect your bios and your boot files. Even if you encrypt your laptop, someone can easily pop a usb drive, reconfig your bios and your boot system to do two things. 1. copy your passphrase making your encryption irrelevant, and 2. install a rootkit on your system, making your secure OS irrelevant.

This is where AEM comes in, it tells you someone likely installed hacks on your system intending to perform capabilities 1. and 2. for collection and compromise. AEM gives you an alert so you can know your system has been tampered with and so you know not to enter your passphrase or boot the compromised system thus preventing your adversary from completing their attack mission and saving you from having a real bad time afterwards.

Router has nothing to do with this or would help in this case.

I would also say concerning the age we live in, and even if you’re country is considered the most democratic you should now expect your locks to be picked and your devices to be tampered with no matter who you are but if your practice secure communications. Even average joes and civilians. We’re all fair game today as the global order shifts and the leviathans desperately try to save themselves from the inevitable.

We’re past the stage where warrants are needed or even considered. This type of invasion wouldn’t be done by local police departments, but by other people beyond the police who are trained specifically for this type of job function. To scout locations where a targets resides and watch when the target leaves so they can enter the targets residence, collect and compromise, and do so without a trace of them having been then. This type of task is a trivial part of their training. A training that has been refined for going on more than a century.

Best of luck to you.

Thank you for your very nice answer.
You mentioned that Evil Maid targets the BIOS. Would it be an alternative to reinstall my BIOS from time to time?

also boot thing (and more) too

no, it just waste your time

This is where a completely different bios is likely better suited and not depending on software AEM but instead Hardware AEM with a librem key + heads bios which wipes out all the nasty stuff that stock bios come with such as Intel Management Engine, which is considered a backdoor and most manufacturers have confidential agreements with NSA / CIA / Mi6 and the like to deliver laptops with IME disabled. See here: Dell Special catalog for DOD, NSA, CIA

And see here about the easiest way to get into heads and hardware AEM, just by using the right hardware: Anti Evil Maid and Lenovo x230

You can pick up a barebones x230 with no ram, no hd for under $150 if you shop around on ebay and clist. Then just buy 16gb ram and the hd you need. Plus get a librem or nitrokey, they are the same, just different branding.

If you decide to go the x230 route, feel free to post in the x230 thread to get help with your journey.

not 100% wiped

You’re right. From what I read there is something they have to leave in because the system won’t stay on, and they don’t know what this is

i don’t think so, it won’t boot at all

ppc

17m

not 100% wiped

i don’t think so, it won’t boot at all

Please keep the comments in context for us beginners.

Uh, First explanation is; Evil Maid is where one leaves ones computer alone, like in a motel room. A person, perhaps impersonating a maid, slips into your motel room, modifies either the Firmware, or some part of the OS to be able to spy on the Person.

Corporate Intel installs into their CPU a means to without my consent or knowledge change the basic firmware of the CPU, which would allow them other means to alter my computer to allow for them to spy on me. Intel Management Engine has this bit of Intel created Malware in it. However, to use the computer one needs other parts of the Intel Management Engine to run the computer. At one time it was known how to delete the malware part, and the Computer would run for thirty minutes and stop.

Now it is known how to install a version that keeps running. The more complete means of getting rid of the potential of an Evil Maid sneak attack and verify the basic Firmware of the computer and OS has not been tampered with is install the complete package of the latest Core Boot/Heads while using a specialized encrypted USB key like (Librem Key, Nitro Key).

The big thing to notice in this conversation is that the process of using an AEM (Anti Evil Maid) and using Heads do not always play well together.

Before installing on or the other, Be Aware of where the eventual end of what one wants to accomplish before installing one or the other.

The implied Questions. While we talk of the Intel Management Engine (IME) it is believed that AMD (the other big Processor Company) also has a means to change its basic CPU Code without the user knowing.

If one’s enemy is not a government, or a big power organization, then perhaps one does not need to worry about the IME being changed. There is no record of a changed IME “in the wild,” or has ever been seen implemented. Changing someones OS is more likely.

The government created a laptop that was meant to allow their workers to log on through a pre-set VPN. They allowed Hackers to test the computer, which they broke into in the first try in less than an hour.

I suspect that using Heads/ with encrypted Key is the more complete, difficult to be broken.

Sorry if I included information already stated or well known to the reader.

i heard that is just when ime detected tampering (at least for intel me 13 +)

43m

i heard that is just when ime detected tampering (at least for intel me 13 +)

I admit to only reading others notes. I do not have experience with this use of AEM.

Just I am pursuing using Heads with a Librem Encryption key, eventually. and I from what little I have read I would not use the AEM Software install at all to achieve that goal.

Heads will both prevent Evil Maid Attack, IME Malware, and some other possible avenues of attack. So I understand. Please correct me where I am wrong.

I will wait until I have another Lenovo X-230 to risk and look at the -then-latest information on installing Heads. Perhaps consider buying a PI (hundred dollars to Flash one laptop)

Heads does clean most of IME, but it does not prevent these other attacks.
It tries to tell you if there has been such an attack. What you do then
depends on you and your threat model.

If you are up to resealing your secrets after updates, etc, then AEM or
Heads is good - but in my experience, many ordinary users will ht a wall
there.

I take the “hit a wall” means they have to reset the Nitro-Librem Key to reflect the updated OS. They decide they have spent enough time with trying to verify the computer had not been tampered with, when they were pretty sure it had not been. And are not willing to spend the time to learn how to, and to reset the Nitro-Librem Key. Is that what you meant?

The little bits of knowledge you have based on your experience are very useful to those of us who have not been that far down the path. It is good when the more knowledgeable folks here post.

Exactly so, although “willing” is somewhat judgemental.
I completely agree with the health warning on the Heads site - at the
moment it is not yet ready for non-technical users.

Thank you for the clarification. It is easy to write of things that are obvious to a more expert person, and not clear to those of us who have not experienced trying to implementing a solution which is vague to them.

I have been trying for some time to wrap my head around this, but still have a ways to go.

Can Heads/AEM detect all hardware attacks? For example, I’ve heard that it may be possible for an attacker to remotely modify peripheral firmware such as in the NIC. Is that something Heads or AEM can detect?