Main Area and Open Discussion > Living Room

German Government Warns Key Entities Not To Use Windows 8

<< < (2/3) > >>

TaoPhoenix:
It certainly changes my plans to show people how to make Windows 8 more user friendly. Leaving it as-is would seem to make this a self correcting problem. Good thing I was starting with Windows 7 anyway.
-Vurbal (August 23, 2013, 07:53 AM)
--- End quote ---

Bingo. If it was *just* a stupid interface, whatever. But if there's TPM junk in there, then it has active reasons not to adopt it.

Does anyone know for sure if Win7 had the same module, or if Win8 is the first one?

Vurbal:
It certainly changes my plans to show people how to make Windows 8 more user friendly. Leaving it as-is would seem to make this a self correcting problem. Good thing I was starting with Windows 7 anyway.
-Vurbal (August 23, 2013, 07:53 AM)
--- End quote ---

Bingo. If it was *just* a stupid interface, whatever. But if there's TPM junk in there, then it has active reasons not to adopt it.

Does anyone know for sure if Win7 had the same module, or if Win8 is the first one?

-TaoPhoenix (August 23, 2013, 08:49 AM)
--- End quote ---

If I understand correctly, and assuming both the German government and the folks who reported on the leaked document do as well, the backdoor is only in TPM 2.0. It appears Windows XP, Vista, and 7 all have implementations of TPM 1.x, the latest version being 1.2.

Reading between the lines a little, and knowing just enough about TPM in Windows 7 / Server 2008 to make a barely educated guess, it seems like the difference isn't so much in what version is supported (I think it's mostly a driver issue) as whether it's enabled by default and whether it is ultimately under the user or administrator's control.

I would definitely be concerned about Windows 7, though, since that's the first version where the old monolithic OS was separated into smaller, semi-independent parts. Theoretically that makes major alterations to the kernel of the type which might be necessary for backporting TPM 2.0 more likely than for previous versions. OTOH it's not nearly as much of a modular design as Windows 8 so I wouldn't bet on it.

40hz:
Use a proprietary closed operating system, and that's a risk you take.

With Microsoft, you get what you pay for. And a whole lot more besides. :-\

Vurbal:
After some additional reading this is my (only slightly) more educated assessment.


* 1.x versions of TPM use encryption keys generated by the motherboard's TPM chip at the request of the OS while the keys for TPM 2.0 chips will be pre-generated (by the Trusted Platform Computing Group?) and supplied to the chip makers to hardcode into their chips.
* TPM, regardless of version, can theoretically be disabled by the motherboard's BIOS settings. Whether that option is available is, of course, up to the vendors. [1]
* TPM support can be disabled via the registry, at least through Windows 7. There's even (apparently - I can't be bothered to check) a Group Policy setting for it. The option may or may not exist in Windows 8 and setting it may or may not actually work as advertised. I suspect it is still there and, at least for the moment, still effective.
* The standards development process (within the TPCG) changed for version 2.0 and third parties, including the German government, were excluded. However it appears one of the documents shared with some of those excluded includes a statement suggesting the NSA was still involved. [2]
* The secrecy surrounding development of the standard combined with the implications of giving Chinese chip manufacturers direct access to the encryption keys and the lack of transparency in Windows code makes it impossible to know whether there might be:
* An existing TPM 2.0 backdoor in Windows which just needs the appropriate hardware to become an active threat.
* An existing TPM 2.0 backdoor which isn't active but could potentially be unlocked by an OS update - particularly difficult to detect for a major update like Windows 8.1.
* A way for Microsoft to add a TPM 2.0 back door via an OS update without it being detected until it's too late.
* Because of the necessity for tight integration into the kernel, it's more or less impossible for any of those to be true of older Windows versions simply because TPM 2.0 wasn't anywhere near complete at the necessary point in time. [3]
1 With UEFI and Secure Boot even access to the BIOS settings to begin with is an open question. Except for Windows RT devices since it's disallowed by licensing requirements.

2 The NSA's involvement, in and of itself, isn't at all unusual. It's the combination of shutting out foreign governments while still including the US government that's notable.

3 On this point the German government probably has more accurate information than any non-governmental entity outside the TPCG. However that also means there's no way to confirm that there aren't errors in their analysis.


Based on all that I'd say it's a non-issue for any current hardware, regardless of what Windows version you use. For future hardware it's a big concern, and regardless of what version of Windows you have the default assumption should be that TPM 2.0 is a vulnerability simply because of where the attack points are.

Since TPM 2.0 also matches Microsoft's completely public agenda to transform Windows into a Walled Garden in the hopes of replacing their dying Windows/Office licensing revenue streams, it's reasonable to assume forcible use of TPM 2.0 is closely aligned with their interests in any case. The safest bet is to avoid both TPM 2.0 and Windows 8 completely. With most of that being purely in the control of companies who have a vested interest in TPM 2.0 adoption that leaves simply avoiding Windows 8 as the safe bet since that is in your control.

Stoic Joker:
Did/does Windows 7 support TPM? Yes. The BitLocker drive encryption is dependent on it. The more important question here I think, is does you hardware have a TPM chip?

Honestly I'm more than just a bit skeptical about the articles claims about what TPM is capable of. Seems more like they're lumping several different (and somewhat unrelated) technologies into one story with just a bit of straw. The phrase "jumping at shadows" comes to mind... *Shrug*

Remember there was a time when hardware based viruses were discovered and folks yelled for an encrypted/protected boot sector ... Now they have one ... and they're mad about it. I really just don't get that part.

Navigation

[0] Message Index

[#] Next page

[*] Previous page