Data access governed by opaque TPM
A TPM black box guarding your data. How many keys are in the TPM and what organisations either put them there or have access via those keys?
Microsoft has fixed a vulnerability in the Windows Recovery Environment (WinRE) for Windows 10 and 11 systems that could allow access to encrypted data in storage devices. Redmond engineers created a sample PowerShell script to enable enterprises to automatically update WinRE images to protect the Windows devices from a …
The motherboard manufacturer is a company based in Taiw.. China, the OS vendor (in this case) is based in Redmond Washington, and has always been pretty cosy with the CIA, NSA, etc. The BIOS was written by Intel in Tel Aviv, and the TPM firmware itself by god-knows-who
There are relatively few security-conscious people in the world who trust all of the above entities, and they would therefore be using DM-Crypt, with a YubiKey as a keystore.
All this news says to me is that someone who Microsoft the CIA are worried about has started mis-using one of their backdoors...
If you dont like the keys, simply delete them and add your own.
Oh, you sweet summer chil'.
The TPM runs its own code before even the rest of the PC hardware is initialised. That code contains encrypted BLOBs - you have no idea what is in it, and you have no idea if there is a ROM mask in the processor providing a fallback even if you could successfully replace the TPM firmware.
What do you think a TPM actually does?
Its basically just a grumpy oracle that might or might not decrypt some data for you depending on how it feels and you can change how it feels by hashing data into its PCR registers.
For TPM only bitlocker the VMK is encrypted by the TPM and stored in the bitlocker metadata, then when the machine boots the bootloader takes the encrypted VMK from the metadata and sends it to the TPM in a message saying "Decrypt Plz?" if the TPM is in a good mood (ie the PCR registers 7 and 11 have the right value) it will decrypt this and send the VMK back (which you can sniff with a logic analyser)
Its a bit more complex for TPM+PIN as you have to send the correct pin to the TPM before it will talk to you but its not some super secret deep state control chip™
Thats pretty much it, thats all it does it either does or doesn't decrypt some data if its happy or not.
Microsoft is a trustworthy company.
If there is a bug in this fix which results in your not being able to access your own data, you can call the Microsoft Support Line and they will provide an access key within 20 minutes that will unlock your system for you.
As this process is not covered by your support subscription, or the ten free calls any Windows user is entitled to, there will be a small administration fee, of approximately $1.5 million per Business Unit.
Thank you for your custom and Have a Nice Day.
> Was the amount of bugs or security better during XP or Win7 because of the QA dept?
Very much so. The kind of bugs I see in Win 10 wouldnt have got out of the door if I was doing the testing.
No such bugs in XP, XP was released complete. Only security vulnerabilites existed. Now however, everyone is a beta tester.
XP-SP2 and XP-SP3 and the corresponding releases of Windows Server 2003.
Remember MS took a kicking with the original release of XP and someone in MS had the sense to double down on testing.
Aside: not saying XP was functionally better or more secure than W10, just that updates didn’t (in the main) break stuff.
>> Certainly not since Windows 3.2> Never existed
No, you are absolutely right. It never did.© Information Retrieval
But I'm really not.
In the UK, where is the NCSC - National Cyber Security Centre on this?
Nowhere, that's where. Another bloody pointless organisation, we're funding.
Superficial paper shuffling BS, I bet you can count on one hand, the number working there with any deep computing specialisation.
They don't pay enough for a start.
In a corporate environment an recovery partition is not that important. If the laptop broke re-imaging is the way.
But what about "old" WinRE.wim from USB? Does the exploit work if there is no WinRE partition, but the WinRE.wim is on a USB drive? -> Read CVE, answered.
Will be a fun workweek, I hope I get time to check more closely what the ACUTAL issue is, and not just a superficial description.
I will be provocative and suggest even in the home environment, W10 has largely made the OEM recovery partition redundant.
Recently had to re-image a laptop with a W8 recovery partition, but had been upgraded to W10. Plugging in a usb with most recent W10 download got it working will all the drivers which (surprisingly) also included Dell Command Update.
Obviously, if you want all the OEM free applications.. but the major OEMs like Hp and Dell will permit download of such app’s.
And it looks like you need to identify the right packages and have them on a network share, from where the script can pull them. This is going to be largely impossible for machines which aren't domain joined (Intune can run Powershell scripts, but the share is the awkward bit).
If using Intune / GPOs it also means identifying every group of computers needing a different package and targetting them all separately.
It's basically bordering on impossible for many organisations. Are we going to see a patch before too long or will the 'fuck off, it's your problem to deal with it' approach continue?