German Government Warns Windows 8 Is an Unacceptable Security Risk 373
An anonymous reader writes "Die Zeit has access to leaked documents from the German government warning that Windows 8 is an unacceptable security risk for sensitive workloads. The story is written in German here, but automatic translators (such as Google Translate) do a readable job. Particularly of concern is the inability to opt out of TPM 2.0 usage."
This is known (Score:5, Funny)
Danke.
Re:This is known (Score:5, Insightful)
Except in the last few months we have had complete and utter proof we are no longer paranoid enough of U.S.A. intelligence agencies and their co-opting of U.S.A. companies to do their work for them.
At this point we can completely trust that Microsoft Windows is and will be used for industrial and governmental espionage activities by the U.S.A. intelligence agencies.
Oblig Blackadder quote (Score:5, Funny)
Re: (Score:3)
Re:Oblig Blackadder quote (Score:4, Funny)
Have you seen any suspicious operating systems? Nein! I mean... 8!
How many planets are there? Nine! I mean... 8!
Re: (Score:3)
Re:This is known (Score:5, Insightful)
Re: (Score:3)
If anything, most of the people who got called "paranoid" were actually too conservative in their estimates. That's the scariest part about it.
Re:This is known (Score:4, Interesting)
Re: (Score:3, Funny)
It really isn't all bad, it created a need for multiple virus and malware businesses.
And untill Win8 has always helped chip companies to sell faster processors to deal with the increasing slowiness for each version of Windows.
Oh..right... maybe it sucks.
Re: (Score:3, Informative)
When you're a government, there's a difference between a product whose bugs can be mitigated with sufficient money thrown at security vendors, and a product that by design keeps control in the hands of a company whose government has a known history of spying on you. The TPM in Windows 8 is the latter.
Windows is an option today - not an requirement (Score:5, Insightful)
Good thing alternatives exists.
I am not advocating they should "just change". I am just saying that on a personal level I am very happy that thrustworthy alternatives exists, and that Windows (no longer) is an requirement at the workplace or at home, but just an option.
Thank you, Stallman, Linus, and all you other people around the world, who have used your time to provide us with these alternatives.
And, yes, I know some people will claim that Windows is an requirement for the specific uses you have. I don't really care - for the wast majority of computing users around the world, Windows is an option, not an requirement. And, I am happy for that.
Re: (Score:2, Interesting)
It's be like me thanking the Lougheads and forgetting Ader, Whitehead and the Wrights.
Typical misleading Slashdorks.
Re: (Score:3, Informative)
The license of Unix we use costs about $20,000 for the number of users we have.
Not practical for most people. Thank the people who make it practical. It's you who is wrong, not him.
Re:Windows is an option today - not an requirement (Score:5, Informative)
Actually it was licensed with the source code to Universities. This was still a proprietary license and the Univerities could not re-distribute except under certain conditions. This licensing was what lead to the lawsuit between Unix System Laboratories (USL) and the Univerity of California, Berkeley when the USL attempted to claim all the changes that UCB made to the source belonged to USL. There was a settlement behind closed doors, however as part of the SCO lawsuits I believe the terms of this agreement were made public.
Interesting read on this here. [wikipedia.org]
Re:Windows is an option today - not an requirement (Score:4, Informative)
But would require CS majors to know how to work them, and was not available on normal PCs, which were too weak then to run Unix. So anyone who could afford PCs would then need DOS, and then on top of that, things like WordPerfect, Lotus or dBase. So it's indeed the explosion in the usage of Linux that's made this possible.
Linux has also lowered the usability bar. With Unix, one was stuck with Bourne Shell or C Shell, and could only enjoy GUIs like OpenLook or Motif if one was at a company or university that had installed workstations from Sun, DEC, SGI, et al. With Linux, GUIs like KDE had been the default from day 1, and now there's a bonanza of them - GNOME, LXDE/Razor-qt, XFCE, Unity, Cinnamon, et al.
Re: (Score:3, Interesting)
Linux has also lowered the usability bar. With Unix, one was stuck with Bourne Shell or C Shell, and could only enjoy GUIs like OpenLook or Motif if one was at a company or university that had installed workstations from Sun, DEC, SGI, et al. With Linux, GUIs like KDE had been the default from day 1, and now there's a bonanza of them - GNOME, LXDE/Razor-qt, XFCE, Unity, Cinnamon, et al.
Your slip is showing. The Linux fans, apparently, don't even realize that OS X is the most popular Unix (a certified one, at that). That segue from "Sun, DEC, SGI" straight to Linux was a sight to behold. That you had to list 6 GUIs for Linux tells us that none of them are very good (despite the thickly caked-on makeup), and the Linux fans who normally promote and critique them scarcely know what they even are.
Think that's a bizarre thing to say? Here's why it isn't: You all deprecate the meaning of the "In
Re: (Score:3)
With Linux, GUIs like KDE had been the default from day 1, and now there's a bonanza of them - GNOME, LXDE/Razor-qt, XFCE, Unity, Cinnamon, et al.
Ummmm.... No.... they really haven't. You obviously weren't a Linux user around 1995. Just getting X11 running was a serious PITA affair much less getting it to do anything. FVWM and FVWM95 were pretty popular. xfm was a common file manager. OpenLook was around for Linux too. Commercial versions of Motif and CDE were around I think.
DOZENS of Window Managers for X11 have existed over the years. Full desktop environments you can probably count on 2 or 3 hands.
Re: (Score:3)
It's not a matter of forgetting, we all know who invented Unix. We also know that until Stallman and Linus, Unix in it's various commercial flavors was a fantastically expensive OS that was entirely out of reach for most and BSD was so thoroughly tied up in legal wrangling that it might have gone *poof* any day.
So yeah, without Richie and Thompson there would be no nix, but without Linus and Stallman it would be several times more expensive than the hardware.
Re: (Score:3)
You think that's bad, my captcha was schaudenfreude!
Re:Windows is an option today - not an requirement (Score:4, Interesting)
Re: (Score:3)
more then pci-e X4 no $30 cables, no $600 Expansion Chassis.
Re:Windows is an option today - not an requirement (Score:4, Interesting)
I'm not so sure if running Linux would be any safer with a machine that has the trusted computer module built in. Does it even need to be a separate piece of silicon or could it be built into the cpu?
Maybe intel inside, might at some point change meaning and at what point does this occur ten years time, now or already?
Maybe Germany might create a demand for non trusted computers but would they keep them clean or just put in their own backdoors?
Ok we know that the USA spies on everyone even their own, but lets not pretend it isn't happening all over the world. Name a trustworthy Government any where.
Re:Windows is an option today - not an requirement (Score:5, Interesting)
The concept behind TPM could work really well, if every user compiled their own operating system, and set up the unique keys such that only their code was trusted. Thus, every user would have complete control over all the source and binary software on the system. Even in a business environment, if at least the business was in complete control of all of the source and binary software, then TPM would be of some use.
The problem is that Microsoft wants to use TPM to play a bunch of DRM movies. The DRM schemes are inherently insecure, so Microsoft opens its security window accordingly. The result is that Microsoft's security model becomes "trust Microsoft, the NSA, movie companies. music companies, game companies, and etc", with no one knowing who the "etc" is. As such, from a secure systems perspective, the resulting DRM operating system has no obvious chain of accountability. Worse, any lesson in security starts with "never trust the vendors default installation." DRM assumes "never trust the customer." With the end result being that no one trusts anyone and TPM can never be secure (with commercial closed-box software.)
For TPM to truly deliver on its security promises, everyone needs to switch to open source software where everyone compiles unique binaries with custom keys. Microsoft will never do this.
Re: (Score:3)
Try to buy today a computer/notebook that don't includes Windows 8, even gets bricked if you try to use something else, and that the manufacturer refuse to support if you installed something else on it.
In the other hand, this should improve the selling of the ones that are open regarding that (i.e. that you can install Linux on it with all the hardware working, and that gets manufacturer support even if you do so), and put the ones that went fully on Windows 8 in even more troubles. Hope that most governme
Re: (Score:3)
Well, I guess I can always buy a Chromebook.
Re: (Score:3)
I am just saying that on a personal level I am very happy that thrustworthy alternatives exists,
I like Linux too, but I'm not that excited.
Re:Windows is an option today - not an requirement (Score:4, Funny)
Balmer is that you?
Re: (Score:3, Interesting)
Yeah, because BSD worked out so nicely for FreeBSD and others in the family. And BSD community is now thriving, thanks to all the commits and return of code from the most open OS - iOS and OS X. Oh, wait, they don't? Ah, who cares about facts, when I can throw dirt at GPL, because those dirty programmers won't let me take the source add some stuff for incompatibility and then sell it off as my own, without sharing source code with the users, they 're clearly infringing on my entitlement to their work.
Re: (Score:3)
Re: (Score:3)
TPM is great for security
Yes, security of the entity the module trusts. And of no one else.
but corps and governments should love it?!
Only the corp or government whom the module trusts. Rest all should doubly hate it.
Not just Win8 (Score:3, Interesting)
Everything Microsoft produces. I have the misfortune of working with the MS developers on a regular basis and if I had a nickle for every time they told me they didnt know how their own software works I'd be richer than Bill Gates.
Nevermind the inherent security flaws in their crap OS, my concern, and the concern from every foreign country should be MS's willingness to work with the NSA. If ever there was a time to ditch Microsoft and go Open Source it is now.
Re: (Score:2)
Which Microsoft software are you referring to? If you expect people that develop in ASP.NET to know how the Windows kernel works, do you also expect people who develop websites in OSS languages to know the intracacies of the Linux kernel?
Re: (Score:2)
Windows. And he isn't talking about people who write software in ASP.NET, he's talking about the people who created and maintain ASP.NET.
Re: (Score:2)
Yes of course. I misread it as "working with MS developers" not "working with the MS developers". My apologies.
Re: (Score:2)
Indeed. On large software products like those Microsoft is famous for, is often necessary not to know how every component of product works at a detail level. There are abstractions in place to allow the work to be easily divided amongst a large number of developers, and you typically won't know the implementation details of modules that you didn't have a hand in creating. There's simply too much code for anyone to truly know how everything works. "I don't know" is often the right answer.
That is, unless
Re: (Score:2)
Re:Not just Win8 (Score:5, Funny)
I had a nickle for every time they told me they didnt know how their own software works I'd be richer than Bill Gates
If it takes them 10 secs to say that, and Bill Gates has 50 billion dollars, it would take you 16000 years to get that rich.
Re:Not just Win8 (Score:5, Funny)
Thank you, Sheldon.
Re:Not just Win8 (Score:5, Insightful)
Are you totally ignorant of the software world?
Linux is at this point more popular than windows, if we count embedded devices and servers. Windows has come a long way, but until very recently it had some serious problems. The issue stems from the design philosophy not any level of obscurity.
Re: (Score:2, Informative)
Windows 8 runs on other platforms too. Go look at the linux tablet market share and compare that to windows 8 tablet share.
I have used linux for that long on the desktop. Works fine.
Marketing matters far more than you think. Bud is a very popular beer, and no one really thinks it is a good beer.
Re: (Score:3)
iOS is not linux. Android is. It uses the kernel and is not proprietary.
Definition of "Quality" (Score:4, Funny)
You must be using the industry definition of "Quality", i.e. compliance with quality standards like ISO 9001. Your comment reminds me of a business plan, "Monkey Maid Service", made by an engineer friend of mine:
Step 1: Purchase a supply of monkeys, monkey housing, and monkey chow from traceable sources, documenting the origins of every piece of material involved.
Step 2: Draft a standard process for "Performing maid service" using the monkeys purchased in step 1. If I recall correctly, his rough draft of this process included "dress the monkeys in French maid costumes, then release them in the house for the period of time specified in the contract".
Step 3: Have supervision in place to ensure work performance follows documented procedure, and record performance metrics (% monkeys dressed as French maids, deviation from contract time) for auditing purposes.
Step 4: Advertize the service as ISO 9001 compliant.*
If every can of Budweiser tasting the same is your definition of quality, then sure, it's a quality product. By the way, my friend has a maid service you may be interested in using after your next party.
*I've probably missed a few crucial 9001 compliance steps; quality geeks, please don't crucify me over that ;)
Re: (Score:3)
Are you ignorant yourself? We are talking about Windows 8 (a desktop and recently tablet OS). Linux desktop has less than %1 market share.
If it was a better product , users would prefer it with its free price. I have used Linux for 15 years (on servers) but I cannot bear it on desktop.
Most people talking about Windows 8 since, well, long before it was even released were talking about how bad it sucks. So I guess according to your claims, Windows 8 and Linux are about equal on the desktop then. Although I would strongly disagree; it's 2013 and Linux has been pretty damn good "on the desktop" for years now. I switched to it from Windows XP back in 2006 and it improves all the time... and at this point, I would never switch back.
Meanwhile, on the Windows side you've got the usual increased
Re: (Score:2)
He didn't say anything about Development Environments, he was talking about Operating Systems.
Re:Not just Win8 (Score:5, Insightful)
> The only reason that I can think that an open source OS would be more secure than Windows is because of obscurity.
No, obscurity doesn't offer much security at all.
Open Source stuff tends to be more secure because it has so many people looking at it, from many different perspectives, both professionals and amateurs, all working together to improve the code and make it more secure.
Microsoft, on the other hand, are the only people who can patch and improve their code. And they have demonstrated again and again that they can't be trusted to do this in a timely and useful manner.
Re:Not just Win8 (Score:5, Insightful)
The advantage of Open Source is that you or anyone else can fix the software if/when security problems are found, whether in the OS, core libraries, network stack, or any Open Source applications. We are not dependent on the original developers to make any such fixes. I have done this a couple times in the past by fixing security issues in open source code before the developer fixes were available (I could have waited a day and got the developer fixes).
Advantage of closed source - HOSTS file (Score:3)
The advantage of Open Source is that you or anyone else can fix the software if/when security problems are found, whether in the OS, core libraries, network stack, or any Open Source applications. We are not dependent on the original developers to make any such fixes. I have done this a couple times in the past by fixing security issues in open source code before the developer fixes were available (I could have waited a day and got the developer fixes).
Advantage of closed source - you can edit the HOSTS file and be done instead of doing all that.
Re:Not just Win8 (Score:4, Insightful)
The advantage of Open Source is that you or anyone else can fix the software if/when security problems are found, whether in the OS, core libraries, network stack, or any Open Source applications.
Theoretically? Totally, no worries. Alpha plus.
In the real world? How often does that occur? How many people are investigating the code to find security problems? How many of those people are sufficiently competent to fix security problems?
There are bugs which remain open for years. There have been reports of security flaws discovered which have been present for years before being detected. If thousands of developers truly were poring over the code, this shouldn't occur.
I won't deny the advantage you state is very real. I will assert that it is an advantage which is rarely exploited in any meaningful fashion.
Re:Not just Win8 (Score:4, Insightful)
I see it this way... people that write malware, trojans, or what ever do so to make money and they pick the largest easiest target doesn't matter the OS or the software that runs on it but one way or another they will make money. You cannot make an OS secure enough to persuade them to do something else when there are so many gullible user to take advantage of. This is why there is now boat loads of malware, adware, crapware for android.
Visual Studio could be better but it's more like a rapid development environment and shouldn't be compared to a regular IDE.
Re: (Score:3)
Yeah, too bad there isn't a German Linux distro
Oops
https://www.suse.com/ [suse.com]
Re: (Score:3)
That being said, a complete education is beyond the scope of a single post, or even a set of hundreds of posts. I won't say Google it yourself, but I will say to go get yourself an education on the subject.
Re: (Score:3)
It isn't even close to a security through obscurity claim.
Hey, what a great point! I wish I had mentioned targeted attacks! Oh wait ... that's right ... I did. That being said, you are right. The heterogeneous nature of Linux is not what makes a targeted attack less likely to be successful. What makes a targeted attack less likely to be successful is that Linux is written from the ground u
How is TPM a security risk? (Score:4, Informative)
TPM is nothing more than a hardware keystore, I'm not sure how they'd see it as a security risk unless they're worried that the NSA has the MS signing key's private key (probable) but even then it doesn't exactly give you worse security than other OS's without access to a hardware keystore.
Re:How is TPM a security risk? (Score:5, Interesting)
Re:How is TPM a security risk? (Score:5, Interesting)
So we have a case of sour grapes, then? Unless one of the NSA requests was "we want a backdoor" then this by itself doesn't mean much because the NSA is a weird creation that not only spies on everyone, but has an "information assurance" department that tries to design secure systems for US usage. They're behind the creation of SELinux which is both highly sophisticated and well reviewed by independent third parties. It does not have back doors. Also, many important constructions in cryptography were designed by the NSA. For example SHA2 was designed by the NSA and it is extensively studied. It has never been found to contain even a hint of a back door.
This crap about how the TPM allows Microsoft to remotely control computers for DRM purposes came up over a decade ago when trusted computing extensions were first designed. It was FUD back then with no connection to reality, and it's certainly FUD today too. If you want to learn about the actual next-gen TC technologies, go and read up on Intel SGX. Then go and read this post on bcflick [bitcointalk.org], a use of the TPM and trusted computing designed to make Bitcoin wallets more secure. That's the kind of thing the tech is designed for. The TPM isn't even electrically capable of controlling the CPU.
Re: (Score:3)
I am a bit unclear as to how you go from "everything the Germans wanted was ignored" to "sour grapes". Could you please explain your thought process there?
Re:How is TPM a security risk? (Score:5, Interesting)
But since nobody actually knows, and because if the NSA informed Microsoft to hand over the keys they'd be legally required to, and because while they help design 'secure systems for US usage' nobody trust them for anything that isn't the US.
So, it's OK if you want to trust TPM, Microsoft, and the NSA. But that doesn't mean that the rest of the world has any reason to do so.
I think you are increasingly going to see governments around the world look at Microsoft and say "do we want to put all of our infrastructure in the hands of someone who has to take orders from a US spy agency?" And I think the only logical conclusion is going to increasingly be "no, not really".
Re:How is TPM a security risk? (Score:5, Insightful)
I think you are increasingly going to see governments around the world look at Microsoft and say "do we want to put all of our infrastructure in the hands of someone who has to take orders from a US spy agency?" And I think the only logical conclusion is going to increasingly be "no, not really".
Oh hey, look, a Windows Update -- A remote root level patch to my operating system, one that in the past has had glaring issues with certificate signing, and now we suspect could be gag ordered and required to hand over the keys to install anything the NSA wants into any Windows system on the planet.
I think the question will be, "Do we want to use software with a HUGE BACKDOOR in it for anything at all ever?" And I believe the conclusion is going to be far worse than, "no, not really".
Meanwhile the "conspiracy nuts" who've seen the writing on the wall for decades (Omnivore, Carnivore, ECHELON, PRISM, etc) can smugly declare either, "Finally" or "I told you so." then go right back to being ignored by fools at large.
Re:How is TPM a security risk? (Score:5, Insightful)
I was also a nice trustworthy person which caught people by surprise when I stole money from their wallets.
Ok no I wasn't but just because the NSA has at times released software without backdoors should in no way influence your opinion of their future performance, especially given future performance is malware that provides a back door, not to mention back doors to every ISP in the country, spying on international conferences etc. Honestly it would be outright foolish to assume that anything they had a major hand in is safe.
That said TPM serves one purpose, secure the system from the prying hands of the user. The only thing holding back DRM being the primary beneficiary of TPM is the lack of adoption and the fact that TPM is entirely voluntary. If every computer had a TPM module regardless of the users preference you could be damn certain that many DRM schemes would be using this. A trusted key store safe from the user is exactly the kind of security system a DRM scheme needs to operate well.
Just because something hasn't (yet) come true does not make it FUD.
Re:How is TPM a security risk? (Score:5, Informative)
The only thing holding back DRM being the primary beneficiary of TPM is the lack of adoption and the fact that TPM is entirely voluntary. If every computer had a TPM module regardless of the users preference you could be damn certain that many DRM schemes would be using this.
Microsoft has announced [microsoft.com] that from January 1, 2015 all computers will have to be equipped with a TPM 2.0 module in order to pass the Windows 8.1 hardware certification. And while not every computer will run Windows, I very much doubt you'll find a computer that can't run Windows so that's the end of TPM-less hardware. Of course Windows 8.1 will run on non-TPM hardware but I figure in a few years Windows 9 will refuse to run on anything but TPM-enabled hardware. That's the end of the PC as an open platform and you can already prepare for the funeral.
Re:How is TPM a security risk? (Score:4, Informative)
A hardware keystore you don't have the keys to.
Re:How is TPM a security risk? (Score:5, Informative)
http://en.wikipedia.org/wiki/Trusted_Platform_Module [Wiki]
See "Criticism" section:
"... The concerns include the abuse of remote validation of software (where the manufacturer — and not the user who owns the computer system — decides what software is allowed to run) and possible ways to follow actions taken by the user being recorded in a database, in a manner that is completely undetectable to the user.
In simple words, it removes user's ability to control the hardware he owns, reducing the device to hardware maker's stealthy agent.
It is "Trusted" to hardware manufacturer, but, the same makes it "uncontrollable" for the user - making the user dependent on trust to the manufacturer, or whatever government or authority there is at particular location."
Re:How is TPM a security risk? (Score:5, Informative)
In short: The BSI doesn't unconditionally trust Microsoft around sensitive documents and recommends that no TPM 2.0 compatible OS from Microsoft is used where those might show up because TPM 2.0 makes trust in the OS vendor mandatory. Win8/TPM2 is okay for home users who don't want to think about computer security but it has no business being around stuff that might cause harm if leaked to foreign intelligence agencies.
Re: (Score:3)
Re: (Score:2)
So I can write and erase anything I want to in the TPM?
Re:How is TPM a security risk? (Score:5, Insightful)
Some issues:
It's a hardware keystore under the control of the vendor: they have access to your keys, you don't have access to their keys.
If you've bought only-certified-for-use-outside-the-US hardware you may find yourself only able to run the OS-with-NSA-backdoor "export" version of your chosen operating system.
If your software vendor decides (or has decided for them) that your web browser (for example) should not permit you to access certain websites, it can be enforced in hardware outside of your control.
The remote "attestation" feature as originally designed could effectively identify individuals (or at least individual pieces of hardware) on the Internet, effectively abolishing any vestige of privacy. It is siad that Direct Anonymous Attestation introduced in the latest round of TPM specs permits the integrity of the TPM (for Digital Rights Management) to be tested without revealing the identity of the device.
In other words, if you have control of the TPM, it's exactly "just" a hardware keystore. However, if you don't have control, or if control must be ceded to another party in order to run some particular piece of software, you are entirely under the control of that party - and whoever controls them. And if you suspect your security is being compromised, you can't necessarily fire up a debugger or trace system calls, because unless that debugger has been signed by the OS vendor it's not going to run and you have no means of knowing whether it behaves as documented. It's a potential rootkit mechanism: you have to trust the OS vendor implicitly. And that's the point - it's not about allowing you to "trust" the vendor, it's about the vendor's "trust" in their control of you.
Re: (Score:3, Funny)
Re:How is TPM a security risk? (Score:5, Insightful)
This. This is overblown BS written by someone who doesn't understand TPM and what it can and can't do.
The story also fails to mention that the TPM module is usually an option and typically only available on corporate PC's. Not to mention the fact that it can be disabled in BIOS/EFI if you are admin over that system.
TPM is not even required by Windows 8. RT... well that's another issue but this article is mainly about PC's, not RT tablets.
What? (Score:2)
Re:What? (Score:5, Informative)
It is insecure because you CAN'T use it for your purposes.
It is only there for MS and, by extension, the NSA.
You didn't think that secure boot crap was for YOUR benefit, did you?
Re:What? (Score:5, Interesting)
Re: (Score:2, Troll)
It is insecure because you have to use TPM and can't opt out. So it's not you defininig the security parameters, it's Microsoft. And the agencies sitting in Microsoft's back and dictating the rules.
But this is patently untrue (if we care about facts), you can opt out.
The TPM is going into the CPU. You will not be able to opt out. It's a fact. It will still be in there. Do you really believe there won't be a way to turn it on and use it against you? And if so, on what basis? By the very specification, you are not permitted to be in charge of your own hardware. That is unacceptable to say the least.
Re:What? (Score:5, Informative)
If you don't trust the security of TPM, or that it doesn't have in-built stuff the NSA can use to spy on you ... then, yes, you have to consider it insecure.
It's a 'secure' system you don't control, which means if you need a secure environment, you need to trust a 3rd party.
If that 3rd party is Microsoft, who we know is beholden to the NSA -- then you betcherass it's considered insecure. Essentially, the German security people are saying "we don't trust Microsoft or the NSA/US government" -- therefore the entire platform is considered not secure.
One of the biggest complaints about TPM is that you have to explicitly trust whoever controls the keys and the like. And if you don't control it, and don't trust the 3rd party, the whole thing is garbage.
So, it makes perfect sense -- because TPM has never been about the users ability to define their own trust, it's about the manufacturer saying "you're going to have to trust us or not use our stuff". So, not using their stuff is the logical conclusion.
Re:What? (Score:5, Insightful)
True as that may be, there are encryption keys stored in there that the owner of the device doesn't control.
So, if I'm building a secure environment, and I know there is a component I do not control or can't isolate (you can't disable this, remember) -- then I have to try to remove that component. That component is TPM, which is more about DRM than securing the computer for the owner.
Well, have fun with that.
Due to the Patriot Act, Microsoft is no longer a trustworthy entity. In fact, no US company is anymore. Not for their cloud services, and not for any installation which needs to be secure.
If the US government wants to make US corporations an arm of their spy agencies, don't bitch and moan when other governments decide there are risks they can do without in using those products -- because unless they're willing to take MS or the NSA at their word (and, really, why would they?), they have to assume these systems are compromised.
A year or two ago when some of us were saying these cloud services were something you couldn't trust due to the Patriot Act, people were saying "oh, don't panic, it's no big deal". But since it's now patently obvious that the NSA can and does tap Microsoft to provide them some data -- I would have to say it's pretty much objective fact that, no, you really can't put trust in them beyond what you can 100% control.
You feel free to trust who you like. And the rest of the world will do the same. I'm sorry, but the US government and Microsoft have pretty much demonstrated that they're not something you can trust.
Re: (Score:2)
And the Chinese are? Unless you can design and fabricate your own chips, you have to trust somebody. I'll take Microsoft over the Chinese any day. But, to each their own.
Re: (Score:3)
True as that may be, there are encryption keys stored in there that the owner of the device doesn't control.
The only key that software does not control is the master RSA key, which of course you cannot control because the safeguard is that every device ever to be made (should) have a unique one, which is why its burned into the silicon (not rewritable by anyone.. ever.. not you.. not by the operating system.. not by a software update)
Why is it that people on slashdot dont have a clue how technology works anymore?
Essentially the root key is like a UUID taken to the hardware level, but instead of passing aroun
Re:What? (Score:4, Informative)
Why is it that every smarmy little shit on Slashdot thinks everyone else is an idiot?
Yes, exactly. But in this case "don't run that software" applies to Windows.
It's the OS which is utilizing the TPM, and therefore it's the OS you can't trust. What part of that are you not understanding?
This was the whole point of TFA -- since Windows 8 uses this TPM shit, and you can't turn that off, you inherently can't trust the OS. The software you stop using because you don't trust the TPM isn't your own software, it's the fucking OS.
Re: (Score:3)
since Windows 8 uses this TPM shit, and you can't turn that off, you inherently can't trust the OS.
Given that Vista was TPM aware that means that Win 7 is too. Why isn't the BSI saying that any Windows OS greater than Win XP unsecure?
Re:What? (Score:4, Informative)
My understanding was TPM became mandatory with Win 8, and in previous versions was optional.
It's the non-optional part that is the problem. Microsoft made it mandatory, and that changed quite a bit.
So, if you deem TPM isn't trustworthy, it makes Win 8 not trustworthy.
And the follow-up article (Score:5, Informative)
Of course, with the extent now clear of the US government's use of US IT companies to maintain American political and economic advantages, if you were running a non-US-based company or a non-US-governmental organization, you'd want to do as much critical business with non-American hardware, software and services as possible.
Re: (Score:2, Flamebait)
Where the BSI takes issue [www.zeit.de] with their reporting. Of course, with the extent now clear of the US government's use of US IT companies to maintain American political and economic advantages, if you were running a non-US-based company or a non-US-governmental organization, you'd want to do as much critical business with non-American hardware, software and services as possible.
I wouldn't take technological advice from Die Zeit. They still think steam engines will never replace the Spinning Jenny. ... the BSI ... bruahahaha.
Also
*snort*
Whatever backdoor MS has planted for whoever asked them will propably have made its way into any older Windows version via their automatic update.
Re: (Score:3)
NSA VPN searches on XKeyScore (Score:4, Interesting)
One of the example searches about XKeyscore, (the NSA software that lets them do ad-hoc searches on everyone's private comms) was
"show me all new VPN connections in country X"
How does it get the VPN connection data? When I investigated Windows *7*, I notice that when a VPN connection is made by the OS, the software makes two connections, one directly to a Microsoft server bypassing the VPN and one through the VPN. Both share session ids. It seems to flag to Microsoft (and NSA) the two IP addresses (via the VPN / original un-routed VPN address).
So they're focussing on Windows 8, but Windows 7 has its share of nightmares.
Then has anyone looked at Symantec / Norton 360 etc.? With all it's "password vault" features and online URL checks. It could be the NSA has served these companies with secret warrants. So we may not be able to trust that it will flag NSA spyware, or that passwords are not making their way into the Utah Stasibase.
Re: (Score:2, Insightful)
Do you have a link to some sort of evidence? I'm sure lots of people would love to see that.
Re: (Score:2)
I think it's much more likely the NSA figure out the VPN stuff by simple traffic analysis - they don't need Microsoft to tell them anything (particularly as I'm sure they're well aware that a large percentage of VPN connections don't involve Microsoft platforms). Doesn't mean I'm not interested in the phone home connection though...
Re: (Score:2, Interesting)
Bullshit and FUD. If this were the case the web would be lit with packet dumps from people demanding an explanation. Pics or it didn't happen.
Have you looked closely at ANY "cloud based" AV lately? They all communicate with the mothership if you don't wrap the ethernet in tinfoil! *snort* Surely we need to move to Russian or Chinese sourced AV for complete security right?
BSI published a clarification (Score:5, Interesting)
The BSI (Bundesamt für Sicherheit in der Informationstechnik) published a clarification after websites reported about that Windows 8 warning: https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2013/Windows_TPM_Pl_21082013.html [bsi.bund.de]
Basically, they pedalled back a bit. They now claim they never warned about Windows 8 itself, but about possible risks when combining Windows 8 with TPM 2.0, because the user no longer has complete control over his system and that because of that, the user could end up in a situation where the system is permanently unusable. They no longer mention the US / the NSA and the possibility for backdoors, instead they now just mention the possibility of "sabotage", and the need for an opt-in AND opt-out for things like TPM 2.0.
Re: (Score:2)
this whole thing is typical anti-Microsoft hype however, one example of where you can get fucked is if you use disk encryption with the TPM module. Your disk is forever mated with the motherboard and if the mobo dies first, so goes your disk.
How can something... (Score:2)
How prophetic was this: (Score:3)
From Wikipedia's TPM talk page in 2007:
As much as I love the NSA looking through email and phone records, I would prefer that the had to *at least* work for it. Trusted Computing (What a crock BTW) says it can be turned off, but does anyone know how? Fosnez 07:52, 13 February 2007 (UTC)
more government FUD (Score:2)
I mean, the moment that "government" is included in a statement about technology policies, you should just look away. There is no reason why TPM makes Windows 8 less secure, and as a platform, Windows 8 is one of the most secure versions of Windows created. While I would argue greatly that Windows 8 is about as secure as any other OS (I mean hell, Linux is full of security patches just as much as any other mutha fucking OS), this screams of stupid anti-Microsoft lobbying using FUD as their "factual" ground
German government too wordy. (Score:3)
They could have just stopped at "Unacceptable."
Privacy issues (Score:4, Informative)
How Pathetic (Score:3)
Logical leaps (Score:3)
Perhaps it is the google translation but I don't understand the logic in the point being made by TFA.
I agree the world is better off without TPM or anything like it because it becomes too cheap and easy for opressive regimes to lock down computation to only approved operating systems modified to constantly monitor and snitch on the end users activities. There is also risk of PCs turning into lockdown hell that is smart phones and tablets.
Real world "secure boot" benefits to end users are questionable at best. With physical access all bets are off and an attacker could just as easily replace a motherboard as they could a disk drive.
The "freedom" arguments seem to be logically separate from trust argument being made..and this is the problem I don't understand how TPM negativly impacts trust in a vendor/OS.
It seems to me whether the operating system is booted secure or insecure you are still very much at the mercy of the underlying OS not to do shit behind your back contrary to your interests. This requires trust in the vendor and trust in the legal regime the vendor is bound by force to operate.
If you want to say MS is not trustworthy because of NSA fine. If you want to say MS is not trustworthy because it is Microsoft fine... But the TPM argument...I simply don't see the connection.
Re:The next time you call FauxNews Sensationalisti (Score:5, Informative)
Re: (Score:3)
I'd like to know when the Germans thought they had control over the operating system.
https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2013/Windows_TPM_Pl_21082013.html [bsi.bund.de]
4th paragraph translated through google:
"From the perspective of the BSI, the use of Windows 8 in combination with a TPM 2.0 is accompanied by a loss of control over the operating system and the hardware used. This result for the user, especially for the federal government and critical infrastructure, new risks. In particular, on a h
Re:The next time you call FauxNews Sensationalisti (Score:4, Informative)
As a German I get regularly headaches when I'm watching Fox News or similar "news". The American news are like game shows, flashing light, CGI effects, running texts everywhere, cut screens, cut clips. It's like news for babies, like the assumed average concentration span is only 5 seconds of the viewers.
Re:The next time you call FauxNews Sensationalisti (Score:4, Funny)
Once the reprogramming has been completed the headaches will go away.