If you care about this, then put the laptop in a tamper-evident bag. Those are necessarily imperfect too; but there's work making tamper-evident seals to resist up to state-level attacks, since that's relevant in stuff like enforcement of nuclear weapons treaties. That succeeds to the extent that you can find a physical effect that's easy to create and measure, but hard to recreate deterministically. (In concept, dump a pile of glitter over your thing. The effort to dump the glitter, take two pictures, and compare is small. The effort to recreate a given glitter distribution flake by flake is large. Likewise for laser speckle from random rough surfaces, and many other effects.)
You could check a laptop for malware later by reading out literally every bit of nonvolatile state, including the BIOS and stuff, and confirming that all changes had expected form (to files you meant to work on, etc.). Of course, then you have to trust the equipment you use for that...
A little weird that he ran the experiment. Did he really suspect that malware was routinely getting installed by attackers with physical access to laptops during business travel? If yes, then why didn't someone notice it calling home or whatever?
> If you care about this, then put the laptop in a tamper-evident bag.
How does this procedure work for multiday evil maid situations? The first day while you're out the maid replaces your collection of plastic disposable tamper-evident bags with faulty ones that open with a particular chemical but otherwise look identical. The second day the maid tampers with your laptop and you don't notice. Do you just have to take the whole box of additional bags with you everyday? That seems prohibitively inconvenient.
If this were a job interview, then I'd say "put the spare bags in with the laptop"...
Or the "bag" can be the laptop's existing case. You can put seals (stickers, or the sparkly nail polish trick mentioned below) over all the fasteners and seams of the laptop, fill all the non-power ports with epoxy, etc. None of these make tampering impossible, but they can make it uneconomic.
I don't think anyone at serious risk of these kinds of attacks lets computers out of their physical control. I've seen agencies that do the seals/epoxy even for computers inside their secure facilities, presumably to give their guards more time to catch an inside tamperer.
Professional poker players have been dealing with this type of risk for years. Major poker tournaments present a juicy target for organised hacking gangs. A high-stakes pro might have tens or hundreds of thousands of dollars deposited in their PokerStars account. Hundreds of professional players in a tournament cardroom means hundreds of very valuable laptops left in hotel rooms.
The most sensible precautions seem to be a) full-disk encryption with a strong passphrase, b) hardware 2fa using a token that is stored separately from the computer, c) physically securing the machine whenever possible and d) tamper-evident seals covering screwholes or seams.
If your adversary is capable of beating these precautions, you're probably screwed anyway.
So part of the point of tamper evident seals is that they are difficult to duplicate. The bags themselves should be readily verifiable, eg with a serial number for basic verification at least. The sort of seals used for nuclear treaty enforcement actually most commonly use little fibers that are randomly mixed in with plastic and their pattern is photographed, making them extremely difficult to duplicate.
A border agent would just open that bag right in front of you, making it not a particularly useful measure of being tampered with.
I suppose a large amount of the problem could be solved just by taking checksums of all non-volatile memory on the device - however that doesn't check for, for example, hardware keyloggers which might be inserted without your consent, and then a thorough evaluation of the hardware would be necessary. However that still doesn't tell you if somebody has simply tried to copy data off of your device - so maybe in this case you need something which physically marks the device in the case that the hard drive is removed and presumably accessed outside your computer, like those dye traps they use in banks and when transporting money.
Did he really suspect that malware was routinely getting installed by attackers with physical access to laptops during business travel? If yes, then why didn't someone notice it calling home or whatever?
I doubt it but his job is to suspect all sorts of things. If you are going to attempt to quantify risk then some experimentation is in order rather than simple speculation. As to "notice it calling home", it is surprising how much is missed. For example, Meltdown n Spectre were predicted many, many years ago ...
Tens of millions of laptops have been exposed to at least as much evil maid opportunity as the author's. That's either a much stronger natural experiment than his artificial one, or the biggest sleeper attack in history. Like, the Israelis still had to blow up the centrifuge eventually...
Pure handwave. Let's call an "exposure" a one-way trip plus half the hotel stay. So the author's laptop got (3+5) * 2 = 16 exposures.
Air passengers make about 3B trips per year. A laptop lasts about three years. I said "tens of millions", so if I'm right then we have at least 16 * 20M exposures on existing laptops. That would mean at least one passenger in 28 travels with a laptop and is as careless as the author was.
That seems high to me--like, it's not too common to check your laptop (unless you were flying from an Arab country last year...). On the other hand, that ignores opportunities before the laptop's first retail sale. Those seem more attractive to me--more time to work, less diverse hardware, etc.--and almost every laptop sold is exposed that way.
So my comment above was probably too flip. His experiment still seems pointless to me, though.
I don't think he thought he was targeted, if he thought the hacker stickers would make a difference. But if I had an exploit like that and was targeting a security-conscious journalist, then (a) I'd be mystified when he checked his laptop, and probably unprepared to take advantage, and (b) I doubt I'd risk my >$1M exploit--even if I could hide it perfectly in some firmware, it still has to communicate out to the world somehow, and that's where it's likely to get noticed.
I thinking of the David Miranda case, for example. If you talk to the Intercept at all in any way prior to going through customs I think you can expect to be delayed while they take a closer look at you. Its not really paranoia if they probably are out to get you ;)
You could check a laptop for malware later by reading out literally every bit of nonvolatile state, including the BIOS and stuff, and confirming that all changes had expected form (to files you meant to work on, etc.). Of course, then you have to trust the equipment you use for that...
A little weird that he ran the experiment. Did he really suspect that malware was routinely getting installed by attackers with physical access to laptops during business travel? If yes, then why didn't someone notice it calling home or whatever?