German Government Warns Windows 8 Is an Unacceptable Security Risk

An anonymous reader writes "Die Zeit has access to leaked documents from the German government warning that Windows 8 is an unacceptable security risk for sensitive workloads. The story is written in German here, but automatic translators (such as Google Translate) do a readable job. Particularly of concern is the inability to opt out of TPM 2.0 usage."

Windows is an option today - not an requirement

[madsdyd]

Good thing alternatives exists.

I am not advocating they should "just change". I am just saying that on a personal level I am very happy that thrustworthy alternatives exists, and that Windows (no longer) is an requirement at the workplace or at home, but just an option.

Thank you, Stallman, Linus, and all you other people around the world, who have used your time to provide us with these alternatives.

And, yes, I know some people will claim that Windows is an requirement for the specific uses you have. I don't really care - for the wast majority of computing users around the world, Windows is an option, not an requirement. And, I am happy for that.

Re:This is known

[Anonymous Coward]

Except in the last few months we have had complete and utter proof we are no longer paranoid enough of U.S.A. intelligence agencies and their co-opting of U.S.A. companies to do their work for them.

At this point we can completely trust that Microsoft Windows is and will be used for industrial and governmental espionage activities by the U.S.A. intelligence agencies.

Re:What?

[Anonymous Coward]

It makes complete sense, a government wants to ensure they have complete control over the hardware being used for sensitive data. If they are unable to opt out of using TPM that means the keys to that hardware would be under someone elses control.

Not exactly strategically sound to have key hardware at the mercy of foreign providers, or even domestic corporations in some cases.

I was under the impression that TPM2.0 was still opt-outable though

Re:Not just Win8

[h4rr4r]

Are you totally ignorant of the software world?

Linux is at this point more popular than windows, if we count embedded devices and servers. Windows has come a long way, but until very recently it had some serious problems. The issue stems from the design philosophy not any level of obscurity.

Re:NSA VPN searches on XKeyScore

[Anonymous Coward]

Do you have a link to some sort of evidence? I'm sure lots of people would love to see that.

Re:Not just Win8

[Anonymous Coward]

> The only reason that I can think that an open source OS would be more secure than Windows is because of obscurity.

No, obscurity doesn't offer much security at all.

Open Source stuff tends to be more secure because it has so many people looking at it, from many different perspectives, both professionals and amateurs, all working together to improve the code and make it more secure.

Microsoft, on the other hand, are the only people who can patch and improve their code. And they have demonstrated again and again that they can't be trusted to do this in a timely and useful manner.

Re:Not just Win8

[Skapare]

The advantage of Open Source is that you or anyone else can fix the software if/when security problems are found, whether in the OS, core libraries, network stack, or any Open Source applications. We are not dependent on the original developers to make any such fixes. I have done this a couple times in the past by fixing security issues in open source code before the developer fixes were available (I could have waited a day and got the developer fixes).

Re:How is TPM a security risk?

[cardpuncher]

Some issues:

It's a hardware keystore under the control of the vendor: they have access to your keys, you don't have access to their keys.

If you've bought only-certified-for-use-outside-the-US hardware you may find yourself only able to run the OS-with-NSA-backdoor "export" version of your chosen operating system.

If your software vendor decides (or has decided for them) that your web browser (for example) should not permit you to access certain websites, it can be enforced in hardware outside of your control.

The remote "attestation" feature as originally designed could effectively identify individuals (or at least individual pieces of hardware) on the Internet, effectively abolishing any vestige of privacy. It is siad that Direct Anonymous Attestation introduced in the latest round of TPM specs permits the integrity of the TPM (for Digital Rights Management) to be tested without revealing the identity of the device.

In other words, if you have control of the TPM, it's exactly "just" a hardware keystore. However, if you don't have control, or if control must be ceded to another party in order to run some particular piece of software, you are entirely under the control of that party - and whoever controls them. And if you suspect your security is being compromised, you can't necessarily fire up a debugger or trace system calls, because unless that debugger has been signed by the OS vendor it's not going to run and you have no means of knowing whether it behaves as documented. It's a potential rootkit mechanism: you have to trust the OS vendor implicitly. And that's the point - it's not about allowing you to "trust" the vendor, it's about the vendor's "trust" in their control of you.

Re:How is TPM a security risk?

[thegarbz]

I was also a nice trustworthy person which caught people by surprise when I stole money from their wallets.

Ok no I wasn't but just because the NSA has at times released software without backdoors should in no way influence your opinion of their future performance, especially given future performance is malware that provides a back door, not to mention back doors to every ISP in the country, spying on international conferences etc. Honestly it would be outright foolish to assume that anything they had a major hand in is safe.

That said TPM serves one purpose, secure the system from the prying hands of the user. The only thing holding back DRM being the primary beneficiary of TPM is the lack of adoption and the fact that TPM is entirely voluntary. If every computer had a TPM module regardless of the users preference you could be damn certain that many DRM schemes would be using this. A trusted key store safe from the user is exactly the kind of security system a DRM scheme needs to operate well.

Just because something hasn't (yet) come true does not make it FUD.

Re:How is TPM a security risk?

[cbope]

This. This is overblown BS written by someone who doesn't understand TPM and what it can and can't do.

The story also fails to mention that the TPM module is usually an option and typically only available on corporate PC's. Not to mention the fact that it can be disabled in BIOS/EFI if you are admin over that system.

TPM is not even required by Windows 8. RT... well that's another issue but this article is mainly about PC's, not RT tablets.

Re:Not just Win8

[Zero__Kelvin]

"I have programming friends that applaud Visual Studio, so I'm not sure if other professionals share your hatred."

Yes. True and competent professionals share the hatred. Even those who begrudgingly use Microsoft software share it. Show me a guy running around saying "I like Windows; it's great!" and I will show you someone who is by definition incompetent.

"The only reason that I can think that an open source OS would be more secure than Windows is because of obscurity."

That is the best reason I have seen in quite some time to stop thinking about the issue with your current level of knowledge, which is exceedingly inadequate, and to start actually learning about what you are talking about.

"That's to say it's not safer because it intrinsically better programmed, but because it's not popular enough to warrant as many people trying to find exploits in it"

It is safer if not poorly administered for many, many reasons. An improperly configured system is unsafe, no matter what OS you use. That being said, a properly administered Linux system is more secure than a Windows system, and it has absolutely nothing to do with the number of people trying to find exploits. People focus on Windows because it is the low hanging fruit. The much more desirable target is Linux, which runs in all the major corporations including Google and Microsoft. The market share for the desktop is greater with Windows, but the important data is on Linux servers, meaning the real professionals would much rather find Linux exploits.

Furthermore, the homogeneous nature of Windows makes it less safe. Because Linux comes in many, many flavours and the kernel in use can and will be different even with the same version release (due to varying config options) it is literally impossible to create an attack that works on all, or even most, Linux systems. Any exploit you can come up with will only work on a very small subset of systems in the wild. Ergo, only targeted attacks make sense on Linux. Trying to come up with a virus that will affect all Linux systems the way one can come up with one that will affect all Windows 7 systems, for example, is a fools errand.

Re:Not just Win8

[pr0fessor]

I see it this way... people that write malware, trojans, or what ever do so to make money and they pick the largest easiest target doesn't matter the OS or the software that runs on it but one way or another they will make money. You cannot make an OS secure enough to persuade them to do something else when there are so many gullible user to take advantage of. This is why there is now boat loads of malware, adware, crapware for android.

Visual Studio could be better but it's more like a rapid development environment and shouldn't be compared to a regular IDE.

Re:What?

[gstoddart]

When it comes to hardware, the only way to completely trust it is to go to where the chips are being manufactured, and study the entire design of each chip being used in whatever device you're worried about.

True as that may be, there are encryption keys stored in there that the owner of the device doesn't control.

So, if I'm building a secure environment, and I know there is a component I do not control or can't isolate (you can't disable this, remember) -- then I have to try to remove that component. That component is TPM, which is more about DRM than securing the computer for the owner.

I'd much rather trust Microsoft than some generic Chinese chip maker.

Well, have fun with that.

Due to the Patriot Act, Microsoft is no longer a trustworthy entity. In fact, no US company is anymore. Not for their cloud services, and not for any installation which needs to be secure.

If the US government wants to make US corporations an arm of their spy agencies, don't bitch and moan when other governments decide there are risks they can do without in using those products -- because unless they're willing to take MS or the NSA at their word (and, really, why would they?), they have to assume these systems are compromised.

A year or two ago when some of us were saying these cloud services were something you couldn't trust due to the Patriot Act, people were saying "oh, don't panic, it's no big deal". But since it's now patently obvious that the NSA can and does tap Microsoft to provide them some data -- I would have to say it's pretty much objective fact that, no, you really can't put trust in them beyond what you can 100% control.

You feel free to trust who you like. And the rest of the world will do the same. I'm sorry, but the US government and Microsoft have pretty much demonstrated that they're not something you can trust.

Re:How is TPM a security risk?

[VortexCortex]

I think you are increasingly going to see governments around the world look at Microsoft and say "do we want to put all of our infrastructure in the hands of someone who has to take orders from a US spy agency?" And I think the only logical conclusion is going to increasingly be "no, not really".

Oh hey, look, a Windows Update -- A remote root level patch to my operating system, one that in the past has had glaring issues with certificate signing, and now we suspect could be gag ordered and required to hand over the keys to install anything the NSA wants into any Windows system on the planet.

I think the question will be, "Do we want to use software with a HUGE BACKDOOR in it for anything at all ever?" And I believe the conclusion is going to be far worse than, "no, not really".

Meanwhile the "conspiracy nuts" who've seen the writing on the wall for decades (Omnivore, Carnivore, ECHELON, PRISM, etc) can smugly declare either, "Finally" or "I told you so." then go right back to being ignored by fools at large.

Re:Not just Win8

[kiwimate]

The advantage of Open Source is that you or anyone else can fix the software if/when security problems are found, whether in the OS, core libraries, network stack, or any Open Source applications.

Theoretically? Totally, no worries. Alpha plus.

In the real world? How often does that occur? How many people are investigating the code to find security problems? How many of those people are sufficiently competent to fix security problems?

There are bugs which remain open for years. There have been reports of security flaws discovered which have been present for years before being detected. If thousands of developers truly were poring over the code, this shouldn't occur.

I won't deny the advantage you state is very real. I will assert that it is an advantage which is rarely exploited in any meaningful fashion.

Re:This is known

[spire3661]

It bothers me that you still call it 'paranoia'. WE weren't paranoid, they really were doing bad shit.