The author did an excellent job explaining what an evil maid attack is, but a very poor job of explaining how their proposal mitigates such attack.
I think the classic "Detecting unauthorized physical access with beans, lentils and colored rice" [0] approach is simpler to understand and simpler to implement. It doesn't rely on any hardware, such as a Raspberry Pi or otherwise technology which can be more easily subject to scrutiny via Ken Thompson's "Reflections on Trusting Trust".
This reminded me of the (real life) story of Oleg Gordievsky, the FSB officer who was a double agent for the west[1]. He was alerted to the fact that the FSB were on to him and had been in his apartment because there were three locks on his front door but he never locked one of them as he didn’t have the key. He came home one day to find all three were locked.
[1] read “The spy and the traitor” by Ben Mackintyre. It’s incredibly gripping and at times hard to believe the courage and perseverance of the people involved but it was real.
Instead of deleting the secret on trip, and requiring a re-arm, it could instead derive a new secret on trip, by e.g. hashing the previous secret. That way you don't have to manually re-arm it, and you get a record of all trips.
Say e.g. a bug walks in front of the camera, tripping it. Then 1 hour a later an evil maid comes in and tampers with the system. In my design, you could look at the photo record, see that the 1st trip was a false alarm, then continue looking at the data, and see that the 2nd trip was something real.
Compared to with the current design, the bug would trip it, then you would get no record of the actual evil maid. You would see the photos of the bug tripping it, and think "oh, it's just a false alarm, I don't need to worry", and trust the computer, even though it's tampered with.
This isnt a tripwire. This is a canary. You have to actively check a canary. A tripwire would send notifications in real time without the user needing to check.
An evolution of this would be to put a server on a different network, a remote location, and have it pump out warnings the moment movement was detected and/or contact with the "tripwire" system was lost.
But the best way of preventing evil maid attacks remains knowing your hardware. Anyone trying to swap out my laptop, or open it, is going to have a problem replicating my scratch marks, my non-standard OS boot screen, or prying out the glue holding in the ram modules (to prevent cold boot attacks).
The bullet point stating that tripwire was built for "High-ranking officials in businesses/organizations" should be removed, because that group is very unlike the "Developers of critical software", "Investigative journalists", and "Attorneys with high-profile clients" which are also mentioned.
Everybody who had the pleasure to work with "high-ranking officials in businesses/organizations" knows that this group is the one who overrides many technically optimal decisions and thinks internal policies do not apply to them. Their lives are not affected if a device is compromised because they are financially stable and can just blame an intrusion on the IT team.
Show HN: Tripwire: A new anti evil maid defense
(github.com)78 points by DoctorFreeman 11 December 2025 | 47 comments
Comments
I think the classic "Detecting unauthorized physical access with beans, lentils and colored rice" [0] approach is simpler to understand and simpler to implement. It doesn't rely on any hardware, such as a Raspberry Pi or otherwise technology which can be more easily subject to scrutiny via Ken Thompson's "Reflections on Trusting Trust".
[0] https://dys2p.com/en/2021-12-tamper-evident-protection.html
https://en.wikipedia.org/wiki/Tripwire_(company)
https://en.wikipedia.org/wiki/Open_Source_Tripwire
[1] read “The spy and the traitor” by Ben Mackintyre. It’s incredibly gripping and at times hard to believe the courage and perseverance of the people involved but it was real.
It's rather an anti evil maid tool, or an evil maid defense. :)
sorry for being pedantic, but with the arms race within cybersecurity, "anti something defense" sounds like double negation to me.
[0] https://en.wikipedia.org/wiki/Tripwire_(company)
Say e.g. a bug walks in front of the camera, tripping it. Then 1 hour a later an evil maid comes in and tampers with the system. In my design, you could look at the photo record, see that the 1st trip was a false alarm, then continue looking at the data, and see that the 2nd trip was something real.
Compared to with the current design, the bug would trip it, then you would get no record of the actual evil maid. You would see the photos of the bug tripping it, and think "oh, it's just a false alarm, I don't need to worry", and trust the computer, even though it's tampered with.
Why?! Will it will trigger W.O.P.R. and start attempting to brute force missile silo keys?
An evolution of this would be to put a server on a different network, a remote location, and have it pump out warnings the moment movement was detected and/or contact with the "tripwire" system was lost.
But the best way of preventing evil maid attacks remains knowing your hardware. Anyone trying to swap out my laptop, or open it, is going to have a problem replicating my scratch marks, my non-standard OS boot screen, or prying out the glue holding in the ram modules (to prevent cold boot attacks).
Everybody who had the pleasure to work with "high-ranking officials in businesses/organizations" knows that this group is the one who overrides many technically optimal decisions and thinks internal policies do not apply to them. Their lives are not affected if a device is compromised because they are financially stable and can just blame an intrusion on the IT team.