Main Area and Open Discussion > Living Room

German Government Warns Key Entities Not To Use Windows 8

<< < (3/3)

Vurbal:
Did/does Windows 7 support TPM? Yes. The BitLocker drive encryption is dependent on it. The more important question here I think, is does you hardware have a TPM chip? -Stoic Joker (August 23, 2013, 01:12 PM)
--- End quote ---

It uses TPM by default but can also be configured to operate without it. There have also been no assertions that it can't be turned off other than in Windows 8, although it's equally possible that the German government would be worried purely because they don't have the keys this time around.

Honestly I'm more than just a bit skeptical about the articles claims about what TPM is capable of. Seems more like they're lumping several different (and somewhat unrelated) technologies into one story with just a bit of straw. The phrase "jumping at shadows" comes to mind... *Shrug*

--- End quote ---

I'm not prepared to make any claims as to the validity of anything absent the sort of information we don't have about the German government's reasoning. However if the keys are pregenerated and hardwired into the chips that's something I wouldn't trust no matter who does or doesn't have access to them.


Remember there was a time when hardware based viruses were discovered and folks yelled for an encrypted/protected boot sector ... Now they have one ... and they're mad about it. I really just don't get that part.

--- End quote ---

If a chain of trust has links which are intentionally obfuscated the default assumption is, or should be, that they're potential vulnerabilities. If those links happen to be in the control of organizations with an established pattern of both failing to be trustworthy and lying to cover it up, there's no reason to give them the benefit of the doubt and every reason not to.

tomos:
I had another look at the Zeit article and went to the source link they give (from the BSI= German Department for Security etc.):

https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2013/Windows_TPM_Pl_21082013.html;jsessionid=5F95A9EB2307BDADF689B6907EA4F378.2_cid359

My "officous" German isn't that great, but I can tell you that it talks about the dangers of:
-
certain scenarios where, due to "unintended flaws" [unbeabsichtigte Fehler] of the OS and the hardware, the OS may no longer work properly. These can even lead to permanent hardware failure.
[Insbesondere können auf einer Hardware, die mit einem TPM 2.0 betrieben wird, mit Windows 8 durch unbeabsichtigte Fehler des Hardware- oder Betriebssystemherstellers, aber auch des Eigentümers des IT-Systems Fehlerzustände entstehen, die einen weiteren Betrieb des Systems verhindern. Dies kann soweit führen, dass im Fehlerfall neben dem Betriebssystem auch die eingesetzte Hardware dauerhaft nicht mehr einsetzbar ist. Eine solche Situation wäre weder für die Bundesverwaltung noch für andere Anwender akzeptabel. Darüber hinaus können die neu eingesetzten Mechanismen auch für Sabotageakte Dritter genutzt werden. Diesen Risiken muss begegnet werden.]
-
=> On top of that, the new mechanism/structure could be used by third parties for sabotage.
[Darüber hinaus können die neu eingesetzten Mechanismen auch für Sabotageakte Dritter genutzt werden.]

From that page, there's a link to a PDF - a "Eckpunktepapier" (Benchmark paper?)
http://www.bmi.bund.de/SharedDocs/Downloads/DE/Themen/OED_Verwaltung/Informationsgesellschaft/trusted_computing.pdf?__blob=publicationFile
dated "August 2012".

It seems to be a combination of summarising TPM and how it works: saying what they would expect (in tenders I guess) of it (interopability with other systems, etc.); warning about it's possible dangers; asking people to continue research into it.

There is one line stood out for me - under heading #17 Datenschutz (Data protection):
saying basically that you've got to weigh up the choices/interests before choosing TCP - in the context of data-protection.
[Der Schutz personenbezogener Daten ist eine wichtige Voraussetzung für die Steigerung der Sicherheit im IT-Bereich. Daher sind die Bestimmungen des Datenschutzes bei Entwicklung und Einsatz (Privacy by design) von „Trusted Computing“-Anwendungen zu berücksichtigen und können im Rahmen einer verfassungsrechtlichen Güterabwägung Vorrang vor wirtschaftlichen Interessen haben.]

40hz:
Remember there was a time when hardware based viruses were discovered and folks yelled for an encrypted/protected boot sector ... Now they have one ... and they're mad about it. I really just don't get that part.
-Stoic Joker (August 23, 2013, 01:12 PM)
--- End quote ---

That's not what they're yelling at. The complaint stems from Microsoft co-opting UEFI, adding their own proprietary Secure Boot to the mix - when the fully open CoreBoot already existed and was fully compatible with UEFI - thereby attempting to force Secure Boot down everybody's throat using Microsoft's classic "Embrace/Extend/Extinguish" strategy.

People don't object to having a more secure OS. But they are objecting to Microsoft setting itself up as the de facto gatekeeper when it's not even their technology or initiative.

What's hard to get about that? :)

40hz:
If a chain of trust has links which are intentionally obfuscated the default assumption is, or should be, that they're potential vulnerabilities. If those links happen to be in the control of organizations with an established pattern of both failing to be trustworthy and lying to cover it up, there's no reason to give them the benefit of the doubt and every reason not to.
-Vurbal (August 23, 2013, 01:41 PM)
--- End quote ---

This. 8)

"Fool me once - shame on you. Fool me twice - shame on me."

IainB:
^^ Yup. +1 from me. Kinda obvious, and goes without saying, but seems to need to be said in any event. We can sometimes be soo gullible.

Navigation

[0] Message Index

[*] Previous page