back to article Germany warns: You just CAN'T TRUST some Windows 8 PCs

Microsoft's new touchy Windows 8 operating system is so vulnerable to prying hackers that Germany's businesses and government should not use it, the country's authorities have warned in a series of leaked documents. According to files published in German weekly Die Zeit, the Euro nation's officials fear Germans' data is not …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Windows

    Just when you thought it couldn't get any worse..

    Whether the story is true or not doesn't even matter any longer. One way or the other; it's another nail into the coffin that is Windows 8.

    How much more will follow? More importantly: when will Microsoft finally wake up and start working their way out of this mess?

    1. Vociferous

      Re: Just when you thought it couldn't get any worse..

      > when will Microsoft finally wake up and start working their way out of this mess?

      I'm thinking "never".

      Ballmer is heavily invested in Metro/Win8, and he's such a major stockholder in Microsoft that he effectively is impossible to dethrone. There are also strategic considerations - Microsoft presumably still believe that the PC is dying and that it MUST shift to mobile devices even if it P's off their PC customers.

      I expect they'll keep doing what they did with Win8.1: make the smallest possible concessions to their PC users, while pressing on with the migrate-to-mobile plan.

      1. bigtimehustler

        Re: Just when you thought it couldn't get any worse..

        Haha, you couldn't have said this at a more wrong time, they have just announced that Steve Ballmer will retire within the next 12 months!

      2. Anonymous Coward
        Anonymous Coward

        Re: Just when you thought it couldn't get any worse..

        "I'm thinking "never". Ballmer is heavily invested in Metro/Win8..."

        I guess that's why Ballmer announced he's retiring...

      3. Spoddyhalfwit

        Re: Just when you thought it couldn't get any worse..

        "Ballmer is heavily invested in Metro/Win8, and he's such a major stockholder in Microsoft that he effectively is impossible to dethrone. "

        Great day to make that post!

    2. pip25
      FAIL

      It gets even better:

      Apparently, MS is forcing manufacturers to include TPM 2.0 into their products if they want to be "Windows 8.1 certified", starting from 2015. Good luck finding a new PC without a working TPM afterwards.

      I usually regard myself as a conservative IT guy who still likes doing most things on a good old PC, but if this really is the future of X86/X64, I will seriously consider switching to some different architecture when my current machine breaks down. Damn the inconveniences.

      1. tempemeaty

        Re: It gets even better:

        I say we continue to loudly protest this kind of nonsense and the PC makers participation in it. Even if we have to embarrass the heck out of the PC makers for allowing themselves to be pushed into this kind of thing.

        1. Destroy All Monsters Silver badge
          Thumb Up

          Re: It gets even better:

          when will Microsoft finally wake up and start working their way out of this mess?

          .. I'm thinking "never".

          Excellent.... excellent.

          white_fluffy_cat.jpg

        2. Anonymous Coward
          Anonymous Coward

          Re: It gets even better:

          The irony is that the problems Windows has is the driver for all this tech and the loser ends up being rivals to Windows.

          1. Anonymous Coward
            Anonymous Coward

            Re: It gets even better:

            More bullshit. TPM is a hardware industry standard - not a Windows standard as such:

            Oracle ships TPMs in their recent X- and T-Series Systems such as the T3 or T4 series of servers. Support is included in Solaris 11.

            Google includes TPMs in Chromebooks as part of their security model.

            VMware's ESXi hypervisor has supported TPM since 4.x, and from 5.0 it is enabled by default.

            PrivateCore vCage uses TPM chips in conjunction with Intel Trusted Execution Technology (Intel TXT) to validate systems on bootup.

      2. Anonymous Coward
        Anonymous Coward

        Re: It gets even better:

        China will be happy to provide "clean", "not-prepared for PRISM" hardware. Maybe this will carry gifts of its own, but, at least the Chinese are not sending combat robots to kill people on hearsay and rumours.

      3. Anonymous Coward
        Anonymous Coward

        Re: It gets even better:

        Trusted computing was proposed quite some time ago. Many saw it as the death of piracy but also of Linux and the DIY software market.

        It seems as if it has been sneaked into existence in the last few years.

    3. Anonymous Coward
      Anonymous Coward

      Re: Just when you thought it couldn't get any worse..

      The article is complete and utter bollocks. There is no known issue with the TPM.

      1. Thebarron

        Re: Just when you thought it couldn't get any worse..

        And the reason we shoulkd believe you instead of the German security bods is?

        1. Anonymous Coward
          Anonymous Coward

          Re: Just when you thought it couldn't get any worse..

          Yes, scare stories and FUD.

        2. Anonymous Coward
          Anonymous Coward

          Re: Just when you thought it couldn't get any worse..

          Because the most basic of research shows that these articles are spouting pure garbage. There is no known vulnerability with TPM 2.0

          A more rational overview is "we are not dealing with a security vulnerability ... Rather, this is about the worrying fact that a system you own might stop working for reasons that are completely beyond your control."

          and

          "In particular, on hardware running Windows 8 that employs TPM 2.0, unintentional errors of hardware or the operating system, but also errors made by the owner of the IT system, could create conditions that prevent further operation of the system. This can even lead to both the operating system and the hardware employed becoming permanently unusable. Such a situation would not be acceptable for either the federal authorities or for other users. In addition, the newly-established mechanisms can also be used for sabotage by third parties."

          Which of course could be true of ANY pierce of hardware, or of the OS itself, or of any of its drivers - so this is basically a steaming pile of bullshit. There is no significant issue here. If there is a ever a bug that breaks TPMs then it will likely be fixed. No such bug exists to date and TPMs work fine on millions of systems.....

      2. Peter Gathercole Silver badge

        Re: Just when you thought it couldn't get any worse..@AC 11:23

        Read this,

        http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html

        and then review your comment.

        It's now 10 years old, but lays down what Trusted Computing means to Microsoft and other vendors.

        1. John Smith 19 Gold badge
          Meh

          Re: Just when you thought it couldn't get any worse..@AC 11:23

          "http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html"

          Indeed. This is not security for users it's DRM for Big Media, and given what is known of THE PATRIOT Act a helping hand to the NSA.

          There's just one little problem.

          Unlike Google (where you don't pay and you're not the customer, you're the product) with PC's you're paying for the privilege.

          I wonder how customers will react to that information?

        2. Anonymous Coward
          Anonymous Coward

          Re: Just when you thought it couldn't get any worse..@AC 11:23

          You cite a decade old article, I correctly guessed it was by Ross Anderson. Ross does some important work, but he doesn't half talk it up and it's always big business or banks who are insecure, never FOSS. This is not one of his finer papers.

          1. Anonymous Coward
            Anonymous Coward

            Re: Just when you thought it couldn't get any worse..@AC 11:23

            "Ross does some important work"

            OK.

            "it's always big business or banks who are insecure,"

            So it would seem, most of the time. Maybe that's his speciality? Perhaps you're not aware of his works on e,g, smartmeters? (it's hidden on one of his university pages).

            "[it's] never FOSS [that's insecure]"

            Wtf? How did FOSS suddenly reach the front of your agenda? Banks are commonly featured by Anderson because they've been shown to lie repeatedly about how secure things are. And when something is insecure, the banks don't pay the price, they pass the cost on to their customers.

            I do actually agree that it would be great if Anderson (or his team) would broaden their fields a bit. Infrastructure cybersecurity (yuk) seems to be a popular subject recently, and why not. Some realism would be welcome though. Maybe he could look there.

            Maybe he could have a look at the safety critical systems and software going into the Dreamliner (given the apparent state of regulatory approvals to date on that aircraft, I'd be particularly worried about the safety critical stuff). And so on.

            In fact I'd be quite interested if someone (anyone) would have a look at the software and system safety in a typical modern vehicle, where increasing numbers of controls are drive-by-wire, with increasingly complex software in the middle.

          2. heyrick Silver badge
            FAIL

            Re: Just when you thought it couldn't get any worse..@AC 11:23

            "it's always big business or banks who are insecure, never FOSS.

            I guess you are posting a/c so this bit of ludicrous nonsense will fly under the radar.

            It is simple when you think about it. FOSS has vulnerabilities, just like anything else. The difference is that with the source being accessible, bugs and such can be identified and fixed. This is more than can be said for closed source projects where the trend seems to be to wait for faults to be reported...and/or deny/scream/ignore said problems.

            If nothing else, one could compare the number of successful attacks against Linux (widely used in the infrastructure) against the number of successful attacks against Windows. Let the figures speak for themselves.

      3. Michael Habel
        FAIL

        Re: Just when you thought it couldn't get any worse..

        Those who can read have a clear advantage... (Old German saying!)

        The Story was NEVER ABOUT TPM.... ITS ABOUT TPM v2.0!!

      4. William 3 Bronze badge
        Facepalm

        Re: Just when you thought it couldn't get any worse..

        "The article is complete and utter bollocks. There is no known issue with the TPM."

        What about the unknown issues then, smartie pants.

        1. nematoad
          Unhappy

          Re: Just when you thought it couldn't get any worse..

          No, no, no, it's working perfectly and has no known issues.

          Trouble is that it's designed for the benefit of Microsoft, Intel and all the other proposers of the specification and NOT for the user.

          So, it's working as intended, to control your use of YOUR machine.

          Whoever would have thought that the peasants (us) would be willing to pay for the privilege of being controlled by these bastards?

          1. Anonymous Coward
            Anonymous Coward

            Re: Just when you thought it couldn't get any worse..

            TPM is only really used by corporates out of choice to secure the boot encryption keys on Bitlocker protected disks. I have never yet seen it turned on with a home PC. So this is still a complete non issue for end users.

            If the Krauts decide a hardware chip specifically designed to secure the boot keys is not good enough for them, what exactly do they propose to use instead? Not using anything is certainly less secure....

            Seems to me that this is simply stating the obvious. Any part of a computer could have a fault, and not using TPM doesn't change that..

          2. Ted Treen
            Big Brother

            @Nematoad 24/8/13 15:02

            "Whoever would have thought that the peasants (us) would be willing to pay for the privilege of being controlled by these bastards?"

            From time immemorial, old Toady, 'twas ever thus.

            It's always been one set of utter bastards screwing the majority - some may have been a little more subtle, and perhaps not quite so vicious.

            But screwed we have been, and screwed we continue to be!

        2. Anonymous Coward
          Anonymous Coward

          Re: Just when you thought it couldn't get any worse..

          What about the unknown issues with any OS, the chipset, the CPU, the devices drivers? It's just complete meaningless FUD.

      5. Anonymous Coward
        Anonymous Coward

        Re: Just when you thought it couldn't get any worse..

        "There is no known issue with the TPM."

        As far as you know, perhaps.

      6. Anonymous Coward
        Anonymous Coward

        Re: Just when you thought it couldn't get any worse..

        "There is no known issue with the TPM"?

        Like, the whole idea, right from the beginning and at theory level?

        Giving total and uncontrollable remote control to _every machine_ to Microsoft and US Spooks, meaning NSA, on mandatory hardware?

        No issue at all, eh? For who?

        1. Anonymous Coward
          Anonymous Coward

          Re: Just when you thought it couldn't get any worse..

          "Giving total and uncontrollable remote control"

          It doesn't give anything of the sort. TPM just stores the boot keys.

          1. Anonymous Coward
            Anonymous Coward

            Re: Just when you thought it couldn't get any worse..

            >"Giving total and uncontrollable remote control"

            >It doesn't give anything of the sort. TPM just stores the boot keys.

            So that'll be why we're being blessed with AMT then, eh RICHTO? TPM's high availability remote access evil twin.

            1. Anonymous Coward
              Anonymous Coward

              Re: Just when you thought it couldn't get any worse..

              "that'll be why we're being blessed with AMT then, eh RICHTO? TPM's high availability remote access evil twin."

              I was thinking that too. I've always wanted to be able to VNC in to the BIOS while no one's looking.

      7. G.H.
        Facepalm

        Re: Just when you thought it couldn't get any worse..

        You not knowing of it might be the point of it's existance.

    4. Tom 35

      Re: Just when you thought it couldn't get any worse..

      I love how they always give shit a cute name that is about the opposite of real life.

      Fair Play, Plays for Sure, Open Cable, are other examples.

      Trusted? Not by me!

      1. Anonymous Coward
        Anonymous Coward

        @Tom35 - Re: Just when you thought it couldn't get any worse..

        Did you ever thought that TPM is about you trusting your machine ? Or your machine trusting you ?

        1. Michael Habel

          Re: @Tom35 - Just when you thought it couldn't get any worse..

          Yes that's the way it should be working... But, noooo lets use it for invasive DRM protection instead!

          And if MicroSoft can put the Boot on the thought of Linux a little bit harder.... So much the better!!

      2. Fihart

        Re: Just when you thought it couldn't get any worse..@Tom35

        Add Windows Genuine Advantage to that list of names which mean the opposite.

        1. Anonymous Coward
          Anonymous Coward

          Re: Just when you thought it couldn't get any worse..@Tom35

          "Add Windows Genuine Advantage to that list of names which mean the opposite."

          Not really. It's a genuine advantage for Microsoft.

    5. Anonymous Coward
      Anonymous Coward

      Re: Just when you thought it couldn't get any worse..

      "More importantly: when will Microsoft finally wake up and start working their way out of this mess?"

      I don't think they will. As far as I can see, Microsoft does not possess a reverse gear.

    6. N2

      Re: Just when you thought it couldn't get any worse..

      Agree entirely,

      They seem as happy as pigs in shit, until the money stops coming in,

      Never mind, I suspect they will sprout wings & fly one day.

      N

  2. Anonymous Coward
    Anonymous Coward

    Swings and roundabouts....

    this in theroy could apply to almost ANY OS / System.

    As soon as you turn on ANY auto updating feature, regardless of OS, you are at the hands of someone else, unless YOU actually go through every single line of code and validate it prior to install.

    1. Anonymous Coward
      Anonymous Coward

      Re: Swings and roundabouts....

      indeed, but then you aren't able to "go through every single line of code and validate it" with Microsoft, and the kernel of some OS are reviewed by many people openly before it every gets to your "auto-update" feature

      1. TheVogon
        Mushroom

        Re: Swings and roundabouts....

        "indeed, but then you aren't able to "go through every single line of code and validate it" with Microsoft,"

        Yes you are:

        http://cyber.law.harvard.edu/ilaw/brazil03/ms.html

        http://referencesource.microsoft.com/

        1. Paul Crawford Silver badge

          Re: Swings and roundabouts....

          Really, you can get *ALL* the code for windows and build it yourself? Including those modules considered "DRM" or "security", and promptly for all patches?

          Why have the Germans not been aware of this openness?

          1. Michael Habel
            Alert

            Re: Swings and roundabouts....

            One question.... Where?

          2. El Andy

            Re: Swings and roundabouts....

            @Paul Crawford "Really, you can get *ALL* the code for windows"

            Yes. It's called a disassembler. You can get all the code to anything that runs on a PC. It might not be nice commented C source, but it's still there.

            1. Peter Gathercole Silver badge

              Re: Swings and roundabouts.... @El Andy

              just don't use your disassembler in the US. There's clauses in the DMCA specifically banning reverse engineering.

              I'm also interested in your disassembler. Are you that fluent in x86 machine code? Can you really gleen from the executed code what the software writer was trying to achieve without access to the meaningful variable names, structure definitions, function names (missing if the symbol table has been stripped), argument types and comments? If so, you are in a class of your own, so much better that anybody else in the world (and yes, in my time I have tried to do exactly what you suggested, and even had some limited success)

              In order to get access to what Paul Crawford wants, you would need a de-compiler which was able to reconstruct the C, C++ or whatever language the various parts of Windows are now written in, including removing all the optimisations that not only change the generated machine-code, but in some cases completely eliminate sections of code. And you had better hope there is no self-modifying code in there anywhere!

              If you have such a de-compiler, you should be immensely wealthy, because what you would have would be tantamount to magic.

    2. Paul Crawford Silver badge

      Re: Swings and roundabouts....

      This is much deeper than the auto-update feature, we already have that with most OS including Windows.

      This is about stopping any way of monitoring code by means of a VM or debugger without the OS knowing. While that could be used for malware protection, that is not the primary reason why this was developed. It was developed for money - to toughen DRM and/or prevent users from things that go against the vendor's policy - like installing software that has not come from a walled garden pay-store, for example.

      What I think the Germans are concerned with is this ability for the OS to hide its actions by not running (or running in a different mode) if there is any attempt to analyse it. Added to that you have the machine-ID aspect which a lot of organisations would love to have - a definite way of tying on-line activity to a specific machine.

    3. Anonymous Coward
      Anonymous Coward

      Re: Swings and roundabouts....

      "As soon as you turn on ANY auto updating feature, regardless of OS, you are at the hands of someone else, unless YOU actually go through every single line of code and validate it prior to install."

      Isn't that true of any update - automatic or otherwise?

      Sure, if you don't turn on auto-updates you retain the right to stare suspiciously at the one-line description of each patch for as long as you have to spare, before muttering, "I guess it must be OK" and accepting it.

  3. b0llchit Silver badge

    Wait for the leak

    It is just a matter of time until someone spills the beans. If the spooky spying was a rage, then the spooky spying as a backdoor would pop the entire (proprietary) industry to bits.

    If anyone is naive enough to think that the software vendors are /not/ in bed with the spooks has a deranged attitude far from reality. Of course are there backdoors being created; we've seen the virus/worm/malware/... shit already hitting the fan at several occasions.

    I have heavily invested in popcorn factories and are awaiting the inevitable stock surge.

    1. Anonymous Coward
      Anonymous Coward

      Re: Wait for the leak

      "If anyone is naive enough to think that the software vendors are /not/ in bed with the spooks has a deranged attitude far from reality"

      Yes. And NSA is an organization which doesn't exacttly _ask_ if the vendor is willing to do what they say: It asks for a FISA court order in ten minutes and then vendor does what is told or goes to jail.

      Of course, "You are not allowed to say anything" is slapped on top of everything as standard part of NSA/FISA orders. At company level and at personal level: No holes for leaks there.

      So when Microsoft claims that "No backdoor", not only they are lying, _they know_ they are lying: Of course there is, because NSA and we've already seen how that organization operates: It doesn't care at all what they legally may do.

      Microsoft openly admits that they are "collaborating" with NSA and _yet_ claim there is no backdoor? How absurd is that?

    2. Charles Manning

      It has always been so, why should it change?

      In times past, commercial operators have always been part of the government spy system.

      This is most obvious in the way organisations like the Dutch East Inda Company etc operated. As part of the deals they got to explore and trade, they would be required to report back to the intelligence agencies of the time.

      Exactly the same happened during more modern times with large companies that had offices in foreign lands. They were all riddled with both commercial and governmental spooks. These helped before/during WW1, WW2, cold war,...

      So to think that the spooks are not deeply embedded in the large corporations of today, particularly those providing software, software-based services and communications, would be absurd. Human nature does not change that fast and intelligence organisations would not walk away from such resources - even if commanded to by the govt.

      Pretty much all info worth gathering is in computers. As with drones, there is no need to expose humans to threat. Just bury spying deep in the computer and you can remotely access just about anything from anywhere.

  4. Tom 7

    "forcing Redmond to deny there was a backdoor"

    Judging from Lavabit Redmond would be legally obliged to say that come what may.

    1. Pascal Monett Silver badge

      Yeah, but judging from Microsoft's past history in the DoD affair (and multiple others), they'd say that anyway.

      Now they're just saying that whilst thinking to themselves "and we really can't say anything else this time !".

  5. Vociferous

    You'd think Europe would be used to be taken up the backdoor by the US by now.

    > " BSI released a statement that backtracked slightly, insisting that using Windows 8 in combination with a TPM may make a system safer, but noting that it is investigating "some critical aspects""

    Translation: the in-built crypto makes it harder for random russian mobsters to hack you, but easier for NSA, so it's fine for the plebs but corporations and government should avoid it.

    I am finding it hard to express how total my lack of surprise is at this news.

  6. Anonymous Coward
    Anonymous Coward

    'How deep down the rabbit hole do you want to go?'

    1. Destroy All Monsters Silver badge
      Big Brother

      As long as lube is involved and there are state-sponsored donuts at the end, we can go pretty far with nary a peep, just a stream of "denials" and "excuses" followed by "calls for investigation", then more "excuses" and "denials".

  7. stizzleswick

    "privacy without good security".

    So to ensure privacy, MS suggests to completely remove privacy without raising the grade of securiy in any noticeable manner?

    The problem with that is that MS and the partners in the TCP group are not laying open the way the TPM works, so it is impossible for most people to check what all they can do to me. How about an Opensource alternative? I might go for that after sufficient peer review...

  8. Andy The Hat Silver badge

    If it can be remotely updated by Micro$oft, who's to say it cannot be utilised by 'interested third parties' to simply prevent machines booting (in time of war by HM Gov or for the purpose of extortion by whoever and whenever ...)?

    Control of the OS by the OS that you have opted to install is one thing, control of the entire system via firmware by a few companies who's only connection to your machine is a few lines of code in one chip is another.

  9. david 12 Silver badge

    http://cryptome.org/stoa-r3-5.htm

    According to this 1999 STOA report "The relevant committees of the European Parliament, should be asked to consider legal measures to prevent [Processor Serial Number]-equipped (or PSN-equivalent) chips from being installed in the computers of European citizens, firms and organisations."

    That had a chilling effect on the provision of computers with hardware ID. If you remember back then, the two main reasons for Hardware ID were (a) to prevent theft / inventory control, and (b) for e-commerce requirements (hardware signatures).

    Evidently the effect was not permanent, because ID-equiped processors are starting to appear: they are targeted at the smart meter market, where they are used (a) to prevent theft, and (b) for billing requirements

    This is the first time that I've seen the EU start to kick back against unique ID's The first time around, the objection was targeted at MS and Intel. This time around, their objection seems to be targeted at MS and Intel. I await further developments with interest.

    1. Michael Habel
      Thumb Up

      Re: http://cryptome.org/stoa-r3-5.htm

      I remember it well 'twas AMD High water mark it was. When 3DNow! was all the rage! and my first foray into AMD-dom was with the short lived Slot-A 500Mhz K7 CPU running Win98SE. A damn fine Machine it was too!

      1. Michael Habel

        Re: http://cryptome.org/stoa-r3-5.htm

        And no CPU-ID / Serial Number too... Didn't care for what it did then, and I reckon that I still don't...

  10. Proud Father

    Whose system?

    ""simply no way to tell what exactly Microsoft does to its system through remote updates".

    "...does to its systems..."

    "...its..."

    No not Microsoft's, it's mine.

    I bought it, I own it, it's mine.

    1. Anonymous Coward
      Anonymous Coward

      Re: Whose system?

      Not anymore! Didn't you know that?

      Richard Stallman almost lost his voice barking this to all four cardinal points while we all of us had a good laugh at it.

      Live and learn, folks!

      1. pepper

        Re: Whose system?

        Truth is, he has been right more then anyone likes. He might seems a bit extreme at first, but he has been right many times in the past few years, worryingly enough.

    2. Anonymous Coward
      Anonymous Coward

      Re: Whose system?

      "I bought it, I own it, it's mine".

      Except for the software, of course.

      1. Anonymous Coward
        Anonymous Coward

        Re: Whose system?

        >"I bought it, I own it, it's mine".

        >Except for the software, of course.

        Da. In Ameᴙica the software owns you.

  11. Anonymous Coward
    Anonymous Coward

    The comment of there being no back doors for spooks sounds ominously familiar to we don't allow spooks into your data. Technically, that's correct. Microsoft employees gather the data and then hand it over to the gov.

    Questions that should be asked.

    - Does my PC's file index and the things I search for on my HD get sent back to the mothership?

    - Just how secure is Bitlocker?

    In the end, it does not matter. Win 7 is my last MS OS regardless. We are also going open source at the office.

    1. Anonymous Coward
      Anonymous Coward

      - Does my PC's file index and the things I search for on my HD get sent back to the mothership?

      Answer: "No, of course not", leaving out: - "That is what the Anti Virus Software really does"! -

      Or rather, it doesn't: It really search for hashes of files and returns "yes" or "no" - or " degrees of similarity", probably allows remote queries on "the kind of stuff" there is on a given computer. It gives a template of files that are on all computers, so one can find "interesting" computers (outliers) and maybe monitor the spread of ideas (same hash codes/similar documents propagating),

  12. Test Man

    "Rumours about a backdoor in Windows are almost as old as Microsoft itself. In 2009, El Reg reported on the NSA's admission that it had worked with developers on Windows 7's operating system security, forcing Redmond to deny there was a backdoor left open to spooks."

    There was something in Windows 95 though?

    1. Anonymous Coward
      Anonymous Coward

      Can't remember anything about backdoors in any of the windows-on-dos series and, frankly, why would they have bothered when those OSs scarcely even pretended to offer any semblance of security at all?

      Perhaps you're thinking of the NSA_KEY implanted in every 32bit Windows; from early in the conception of NT. Scott Culp of the "Microsoft Security Response Center" explained the existence of the NSA_KEY thus:

      "In 1992-93, Windows NT program management identified a need for a cryptographic API set that would allow third-party cryptographic modules to be installed. Because of the obvious parallels to the "crypto with a hole" case, we went to State Department, who confirmed that they would not grant export approval for our design unless it controlled which third-party cryptographic modules could be installed."

      http://cryptome.org/nsakey-ms-dc.htm

  13. Salts

    Which PC's don't have TPM

    As I am looking at a new laptop and will be installing Linux, windows may get a VM but that's about it, does any one know which PC's don't have this chip and how do you find out? I have been looking at Lenovo.

    Also wonder if this is why huawei are being black listed in US, so that all kit installed is US built with back doors etc for NSA?

    1. Suricou Raven

      Re: Which PC's don't have TPM

      The TPM itsself can't do very much without cooperation from the OS - all it can do is make sure BIOS updates are signed and enforce Secure Boot - a feature which, for now, Microsoft still generously permits you to disable. So if you run linux, it won't bother you. On the upside, the TPM does include a cryptographic accelerator and RNG (True R, not PR) - so if you get the linux drivers working, it could be used to give an SSL webserver or something a performance boost.

      1. Havin_it
        Linux

        Re: Which PC's don't have TPM

        Now there's a thought ... I have a server that I think has a TPM, and an embedded cpu with no AES-NI/AVX extensions, that could definitely benefit from access to such hardware. However, I wonder

        A) Can Linux drivers actually harness the crypto components in useful ways?

        B) Do all TPM chips have these components, or just 2.0 versions?

        ...Oh, and of course ...

        C) Can we even trust them to do out-of-spec crypto tasks such as this, without backdoors or other compromise?

        1. El Andy

          Re: Which PC's don't have TPM

          @Havin_it "Do all TPM chips have these components, or just 2.0 versions?"

          A TPM without encryption capabilities would be pointless, given that's the only thing they *actually* do, as opposed to what the tin-foil hat brigade would like you to believe....

          1. Tuomas Hosia

            Re: Which PC's don't have TPM

            "given that's the only thing they *actually* do"

            So you have a whole TPM chip and you _know_ what it *actually* does, despite half of the functions being officially not documented and who knows how many functions totally secret, the NSA segment?

            Nice idea, borders to being gullible.

            1. Anonymous Coward
              Anonymous Coward

              Re: Which PC's don't have TPM

              >Nice idea, borders to being gullible.

              I wonder how much longer the I-believe-what-I'm-told-to-believe brigade are going to go on calling people with a bit of common sense "the tinfoil hat brigade"?

              That whole "people who think the government are spying on us must be nutters" meme must been reversed somewhat of late. Shirley anyone who still hasn't realised it must be the nutter?

              1. El Andy

                Re: Which PC's don't have TPM

                @AC12:10 "That whole "people who think the government are spying on us must be nutters" meme must been reversed somewhat of late. Shirley anyone who still hasn't realised it must be the nutter?"

                Do government spies spy? Er, yes, of course. Do you think they care about the minutia of every thing you do in your life? Really? Can you even begin to conceive how many people it would actually require to spy on every single moment of even a single individual's life and all their interactions? Do you think that it is even remotely plausible that even one person is dedicating their existence to monitoring yours?

                If you do, then yes you belong firmly in the tin-foil-hat brigade. If, on the other hand, you look at espionage as an occasionally necessary evil and consider the practical limitations on the reality of what is ever going to be possible, then you should really see why there isn't actually much to be worried about.

            2. El Andy
              Facepalm

              Re: Which PC's don't have TPM

              @Tuomas Hosia: "So you have a whole TPM chip and you _know_ what it *actually* does, despite half of the functions being officially not documented and who knows how many functions totally secret, the NSA segment?"

              TPM is an ISO spec. Every part of TPM is documented, because it'd be a pointless spec if it weren't.

              If you want to believe the NSA are putting "secret" extra bits inside the PC that let them spy on you, that's up to you, but there would be no need for that to be a part of TPM, nor for it to be removed/disabled in machines without a TPM or with TPM disabled. It wouldn't even have to stop functioning when you ran Linux. Heck, it's probably buried deep within every x86 and ARM CPU ever manufactured and deliberately sending details of everything you ever do to a bunch of people who have nothing better to do in life than check exactly what you're doing every single minute of the day,

              Have a nice afternoon thinking that through....

          2. Havin_it

            Re: Which PC's don't have TPM

            Sorry, not well-phrased perhaps. My focus was on the "what can it do for me" angle, not ... well, everything that followed.

            What I was asking was, I suppose, can one of these things handle constant (think disk encryption) crypto workloads, and do so better than the CPU, on Linux? Or is it only built for verifying a key once in a blue moon? And is there a generational difference in what bits Linux can actually use?

            But I'm glad everyone had fun with their little digression session... FFS

      2. Anonymous Coward
        Anonymous Coward

        Re: Which PC's don't have TPM

        >The TPM itsself can't do very much without cooperation from the OS - all it can do is make sure BIOS updates are signed and enforce Secure Boot - a feature which, for now, Microsoft still generously permits you to disable.

        Hence the "need" for a high availability remote code execution mechanism. Or AMT for short. What a combination: A "perfect storm" of "trust".

      3. Anonymous Coward
        Anonymous Coward

        Re: Which PC's don't have TPM

        "The TPM itsself can't do very much without cooperation from the OS - all it can do is make sure BIOS updates are signed and enforce Secure Boot - a feature which, for now, Microsoft still generously permits you to disable. So if you run linux, it won't bother you."

        NOT if you're gullible enough to to own ARM hardware blessed by the beast of Redmond. No generous permission to disable the M$ lock-in on that. If M$ has "certified" your ARM kit it's Win or bin.

  14. Michael Habel

    All the more reason (as if I needed any...) that I should keep my aging C2D Systems up and running for as along as I can. Neither of which have any of this TPM BS on it that I would know of.

    As for US Companies I suppose Ubuntu is a South African Outfit. But what about Mint?

    Whats the BEST non-US backed Linux?

    And on that token why hasn't anyone ever brought up SELinux yet?

    I mean who do you think donated most of the Code for that?

    Why haven't we been hearing more about this??

    1. Vociferous

      Any Linux you can inspect the source code of is pretty much guaranteed to not contain back doors. It can still contain vulnerabilities of course, but not back doors, there's simply too many people vetting it.

      1. Michael Habel

        Which then begs One of Two further Questions...

        1) Can we trust these "People" who are "veting the Code"? (i.e. Who's watching the Watchmen?)

        2) Are these "People" actually skilled enough to actually find well intentioned (I'm sure...), but very cleverly hidden Code?

        Bonus Question who here would continue to use SE(NSA)Linux?

      2. Anonymous Coward
        Anonymous Coward

        "Any Linux you can inspect the source code of is pretty much guaranteed to not contain back doors. It can still contain vulnerabilities of course, but not back doors, there's simply too many people vetting it."

        A million eyes looking at something are only useful if they are looking in the direction of the problem. How many people actually download the code and then confirm that the binaries they've downloaded are the resultant binaries from that code? I don't know a single person or company who does, with the exception of one security specialist who admits that "it's a time consuming ball ache". Did you know that the KDE project recently lost everything because they were using a replicating git hub as backup for their codebase. The only reason they didn't lose everything when a corruption was replicated was because they'd by complete chance removed a node the previous day.

        1. Destroy All Monsters Silver badge
          Paris Hilton

          > Did you know that the KDE project recently lost everything

          What. They have less sysop nous than a fly-by-night outfit that sells packages of Bami Goreng on the side?

          1. Destroy All Monsters Silver badge
      3. Anonymous Coward
        Anonymous Coward

        "Any Linux you can inspect the source code of is pretty much guaranteed to not contain back doors. It can still contain vulnerabilities of course, but not back doors, there's simply too many people vetting it."

        That turns out not to be the case. See http://cm.bell-labs.com/who/ken/trust.html

        Ken Thompson's point is clearly summarized at the end of that short paper:

        "You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect".

        1. Anonymous Coward
          Anonymous Coward

          Do tell

          Whoever downvoted my comment with the Ken Thompson quote, it would be nice if you would take the time to reply and let us know whether you:

          1. Disagree with Thompson's assertions;

          2. Believe that Thompson's assertions, as quoted, are irrelevant or misleading;

          3. Were just feeling bloody minded.

          1. Anonymous Coward
            Anonymous Coward

            Re: Do tell

            OK then - bloody minded it is.

    2. Anonymous Coward
      Anonymous Coward

      OpenBSD, it's not Linux though

    3. Anonymous Coward
      Anonymous Coward

      >Whats the BEST non-US backed Linux?

      Well, Linux (i.e. the kernel) is very much a distributed multinational effort but since its spiritual and de-facto leader has migrated right into the hart of the axis of evil, I'll presume you mean "distro" rather than the kernel and whole heartedly point you in the direction of OpenSUSE.

      Mandriva/Mageia and KNOPPIX spring immediately to mind too. Probably both more "enthusiast" than "best" but that's a pretty subjective distinction. Ubuntu is "based" (registered - for tax reasons, etc) on the Isle of Man but main offices are London. Not that I'd let that bother you - (F)OSS is effectively a game of whack-a-mole for big-gov and their mega-corp minions... try to piss about with it and it'll just slip through your fingers and pop up again (sans pissing about) in ten different places. Just ask MS, Oracle, SCO, etc... That's what those "virus/cancer" licences are all about.

      There are some significant government (national or regional) supported offerings from Spain, Greece, Germany, Turkey, Brazil, amongst others.

      distrowatch.com is an excellent reference of all things distro. You can search its (surprisingly well maintained considering) database by all manner of criteria, including "country of origin."

      Good hunting.

    4. Anonymous Coward
      Anonymous Coward

      >And on that token why hasn't anyone ever brought up SELinux yet?

      Probably because:

      a) It's offered (publicly) to an open project which thoroughly and openly reviews it (as it does ALL contributions). Not secretly escrowbared into some take-it-or-leave-it immense binary blob by clandestine decree from upper ECHELONs.

      b) It's optional. Use AppArmour if you prefer. Or ACLs, or something offered by whichever filesystem you favour, or hypervisors, or whatever. There are myriad ways to crack the nut and the diversity of (F)OSS is it's greatest strength. Choose whatever best suits YOU... rather than the M$ "you'll do it this way" doctrine. Have a quick squint at Qubes for an example... a new, simple yet ingenious and rather exciting approach at addressing these sort of trust problems by means of rigorous abstraction.

  15. Anomalous Cowshed

    You just can't trust them windows 8 computers...

    At a time when it has been shown that the American and British governments spy on their citizens, it's good to know you are a German citizen, for once. You can trust us implicitly.

    Now this windows 8 ain't no good. I don't want to go into the reasons, which are classified, but as a good citizen, you should seriously consider using Windows 98 or 3.1, our systems are optimised for them which are far more secure.

    Understood? You may go now!

  16. Anonymous Coward
    Anonymous Coward

    I was told that the reason why MS still supports XP was because most regimes (which the NSA are interested in) are still heavily dependent on XP. MS was forced to support XP against their business model.

    1. Mr. Peterson

      your Uncle is more informative than my Uncle

  17. Destroy All Monsters Silver badge
    Big Brother

    Disquieting frankness on your webzine

    Microsoft denied there was any backdoor. In a lengthy statement, a spokeswoman insisted that users cannot expect "privacy without good security".

    Indeed. We want privacy with excellent security, not "no privacy" with just "good security".

    Mickey's soft: just say no to this package..

  18. Robert Helpmann??
    Childcatcher

    What's in a Name?

    Microsoft's new touchy Windows 8 operating system is so vulnerable to prying hackers...

    There are few who understand the word "hacker" to mean "the programmers writing the software being hacked." The issue here is not that there is a suspected problem with the OS not working as advertised, it is with the design itself (and so is not a hack). It seems that it all comes down to trust which seems to be in short supply these days.

  19. M Gale

    WHo actually thought TPM was about security?

    And not an attempt at making it awkward to run anything except Windows? Or at least to run anything without paying a Microsoft tax?

  20. Daniel B.
    Boffin

    TPM

    Heh. The fun thing is that TPM is good when it is actually used by the user vs. being a remote MS borging control. A couple of talks at DEFCON actually showed useful things that can be done with the TPM iron like random keys used for encrypting stuff and having them protected by the TPM ... basically serving as a poor man's HSM.

    But noooo ... MS and the other evil entities insist on using the tech for DRM evil. Meh.

    1. Paul 129
      Coat

      Re: TPM

      An interesting effect. I had one client with a windows 8 machine, his settings disabled updates over connections that cost you money. Somehow he had drivers that had 1/2 downloaded updates. His computer got stuck in a reboot loop trying to update components. (solution was to somehow get it in a safe mode and activate the updates over connections that cost yo money, but I digress)

      Observing the complains about the components, well why don't you fix it by installing the files, updating the registry entries. Nope. The files were at their correct versions, the registry entries were correct. The thing was baulking due to components not being registered correctly in windows side by side. *sigh ok where's the problem here*? Well the components appear to be digitally signed, with an expiration date etc....(looks like a digital certificate chain, presumably they can issue CRL's) Oh... Comparing to another machine, and a few basic experiments later, They're signed against a signature PER machine. I didn't think of looking at TPM (Thought that was killed years ago) :-(

      So what does this mean in reality? Well You have to TRUST M$, because they control the keys that controls what you CAN run on your computers. Trouble with this is that you also have to trust the US government. We have never had ANYTHING like this every before!

      This isn't a DRM issue, nor a trust them not to seal data (which it is), its a sovereignty issue. US government with the keys to disable all your Internet connected windows 8 machines, no they would never abuse that sort of power....Yeah Right!

    2. Anonymous Coward
      Anonymous Coward

      Re: TPM

      Please provide an example of MS using the TPM for DRM?

      As far as I can see they are only used to secure the boot keys of an encrypted disk.

      1. Anonymous Coward
        Anonymous Coward

        Please provide an example of MS using the TPM for DRM?

        To prevent people running Linux on THEIR computers. Of course. Is that not "DRM"?

        If not, then what exactly do you consider to be our rights?

  21. John Smith 19 Gold badge
    Unhappy

    Now definitely my last Windows machine.

    I've been lazy.

    I've taken the path of least resistance

    And MS have benefited.

    This is too much. I don't need this much s**t in my life. When I saw Linux updates all applications on a machine I was interested. Now avoiding this rubbish definitely puts the last nail in their coffin.

    Time to send this chicken dancer to the chicken pie factory.

    1. Anonymous Coward
      Anonymous Coward

      Re: Now definitely my last Windows machine.

      No, linux updates all applications which come from a repo. That's a pretty big difference. You also don't have the ability to mix versions of software, or at least not in anything like an easy, user friendly manner.

      1. Chemist

        Re: Now definitely my last Windows machine.

        "No, linux updates all applications which come from a repo."

        It is however possible, indeed normal, to have a number of repositories, I have all the OpenSUSE for my version +packman. A little care is needed when installing certain applications ( for example kdenlive needs the programs/libraries melt, mlt, ffmpeg and vlc to be from the same repo.) to get all the necessary helper programs from the same repo but otherwise as stated all software will be updated automatically, semi-automatically or not at all depending on the user's wishes.

        Good luck with your decision John, try a few live CDs first

        1. Anonymous Coward
          Anonymous Coward

          Re: Now definitely my last Windows machine.

          Can you explain how I can update COTS software from a repo?

          1. Chemist

            Re: Now definitely my last Windows machine.

            "Can you explain how I can update COTS software from a repo?"

            I'd hope the vendor would provide a repo. as Google does for GoogleEarth.

            I suggest that you are now picking Pediculus humanus capitis

            1. Anonymous Coward
              Anonymous Coward

              Re: Now definitely my last Windows machine.

              Yeah, I'm sure that MS, Symantec, IBM, Oracle, etc. etc. will put their software into repos.

              Google Earth is free, therefore it can go into a repo, it's hardly COTS though.

              1. Anonymous Coward
                Anonymous Coward

                Re: Now definitely my last Windows machine.

                "Yeah, I'm sure that MS, Symantec, IBM, Oracle, etc. etc. will put their software into repos."

                What?

                Any software that is supplied on mass-produced CD or DVD can surely be repackaged to go into a repo, and whatever magick that enables legitimate use of the product when installed off CD/DVD can still be used? Or is there a flaw in that logic?

              2. Anonymous Coward
                Anonymous Coward

                Re: Now definitely my last Windows machine.

                >"Yeah, I'm sure that MS, Symantec, IBM, Oracle, etc. etc. will put their software into repos."

                ...and guess what, RICHTO, you're right! Not only will they, they already do!!!!!!one!!!

                Here's an example from IBM for your edification:

                http://www-304.ibm.com/webapp/set2/sas/f/lopdiags/yum.html

                ...and here's a nice comprehensive example from Oracle, complete with a detailed how-to:

                https://www.virtualbox.org/wiki/Linux_Downloads

          2. Anonymous Coward
            Anonymous Coward

            Re: Now definitely my last Windows machine.

            You can install Secunia PSI

  22. William Wallace

    USA or China

    Its an odd world when you have the option of deciding whether you want to be snooped on by the USA (MS, NSA, TPM, etc) or by China (Huawei). Personally, I think the US is the most aggressive and invasive option (and, from a nationalistic point of view, the most likely to be harmful).

    1. Anonymous Coward
      Anonymous Coward

      Re: USA or China

      I guess the two countries should sit down and talk, especially on deduplication of data they slurp.

    2. Anonymous Coward
      Anonymous Coward

      Re: USA or China

      What on earth would make you think that China is using Huawei for espionage? Do you have any grounds AT ALL?

      Shirely you don't consider "the NSA USA said so" to be grounds for suspicion?... the USA/NSA just don't want their prey haplessly wandering away from their backdoored HP/Cisco/Barracuda malware pushers to cheaper kit which they CAN'T backdoor. Isn't that obvious?

  23. PunkTiger

    Only one way to disable TPM

    > ...OEMs have the ability to turn off the TPM in x86 machines; thus, purchasers can purchase machines with TPMs disabled...

    The thing is, I don't want the TPM chip to be "disabled," I want it REMOVED from the motherboard altogether. That's the only way I know I'll be able to trust my computer to run the OS and software I WANT it to, and not be beholden to some shadowy organization and/or find the chip possibly re-enabled because of a processor change, or BIOS battery replacement.

    1. M Gale

      Re: Only one way to disable TPM

      I have to wonder whether a sub-1mm drill bit and a dremel would remove the ability to run Windows (well, "activated" copies of Windows), or remove the ability to run anything?

    2. Christian Berger

      Re: Only one way to disable TPM

      I think on new motherboards the TPM is included in the Chipset, so it's on die and you cannot get rid of it. Even if you did, your system probably wouldn't boot any more.

      Except when you buy some Chinese PC with optional TPM where it's on a plugin module you can easily pull out.

      1. Peter Gathercole Silver badge
        Unhappy

        Re: Only one way to disable TPM

        My experience with the IBM Security Module (TPM 1.0) on Thinkpads where it was optional was never good.

        Once a Thinkpad had been booted once with the security module installed and turned on, removing it stopped the machine from working. Completely. It just sat and beeped at you 16 times when you powered it on.

        The only way to revive it was to plug the removed module back in. It had to be the one that was removed. One from another machine of exactly the same type did not work. You could not even disable the security module and then remove it. The IBM maintenance manual stated that if you got a machine to repair in this state, without the original security module, the fix was to replace the motherboard.

        More modern Thinkpads, like most machines, have it in the supporting chipset, so it is impossible to remove.

  24. Anonymous Coward
    Anonymous Coward

    "users' data is theoretically accessible to US

    spooks in the National Security Agency"

    this is by design.

  25. Big-nosed Pengie

    They don't call it "treacherous computing" for nothing.

  26. IT Drone
    Windows

    Oxymoron ...

    ... Windows, security, trust and remote updates all in the same sentence (without the word "not" appropriately placed as well)?

  27. Fihart

    Nothing to fear unless you have something to hide....

    Fortunately for the rest of the world the Germans have a lot of commercial data to secure against US industrial espionage.

    Germany and (hopefully Europe) will call foul on this and threaten Microsoft's business in Government and Commerce IT.

    The very idea that an OS company can dictate hardware design in a manner which potentially damages users should have anti-trust implications, as well.

    Every day in every way Microsoft is coming closer to its own destruction.

    1. Anonymous Coward
      Anonymous Coward

      Re: Nothing to fear unless you have something to hide....

      "Germany and (hopefully Europe) will call foul on this and threaten Microsoft's business in Government and Commerce IT."

      They tried that in Munich and it has been an unmitigated disaster, that cost tens of millions in investment from IBM, etc. that will never be recovered.

      Over a decade later the migration still hasn't been completed - and when migrated users need to do real work - like use a version of Office that actually works - they all connect to Virtual Machines - running Windows....

      This is one of the major reasons why corporate Linux adoption on the desktop remains close to zero.

      1. Chemist

        Re: Nothing to fear unless you have something to hide....

        "They tried that in Munich and it has been an unmitigated disaster, that cost tens of millions in investment from IBM, etc. that will never be recovered."

        References ?

        1. Anonymous Coward
          Anonymous Coward

          Re: Nothing to fear unless you have something to hide....

          >"References?"

          His employer hired HP to fabricate an unauthorised audit... for PR and marketing purposes... PR and marketing purposes including trolling FUD into forums, I imagine.

          Munich has itself been publishing real audits... the old fashioned kind - based on actual data. They don't exactly agree with the HP/M$ fantasy audit. Munich has also made it very clear it's very satisfied with its upgrade to Linux and, after this latest report, I imagine more councils may soon follow their lead.

          1. Anonymous Coward
            Anonymous Coward

            Re: Nothing to fear unless you have something to hide....

            "Munich has itself been publishing real audits... the old fashioned kind - based on actual data. They don't exactly agree with the HP/M$ fantasy audit."

            References welcome, ideally from both sides (though a paper produced by MS's number two route to market does start off at a bit of a disadvantage).

            German language is OK.

            Thanks.

            1. This post has been deleted by its author

            2. Anonymous Coward
              Anonymous Coward

              Re: Nothing to fear unless you have something to hide....

              Certainly AC. I'd start here: http://www.h-online.com/open/news/item/City-of-Munich-disagrees-with-HP-s-Linux-migration-study-1797232.html for a good overview. Quotes replies direct from Munich and provides a link to the project's website - in German.

              Wouldn't hold my breath waiting for the other side though. They've refused to publish. Just like that purported Linux patent infringement portfolio. Such is the nature of FUD. There are no facts, so publishing would destroy the FUD... but publishing isn't even necessary... seeding uncertainty is the sole intent.

              1. Anonymous Coward
                Anonymous Coward

                Re: Nothing to fear unless you have something to hide....

                Thank you AC 5:57 for the links.

                Reading the first one led me to

                http://www.h-online.com/open/news/item/Microsoft-partly-releases-study-on-Munich-s-Linux-migration-1792733.html

                which, as the title implies, covers MS Germany's attempts to substantiate (and/or backpedal from) the claims made by HP, by releasing a small selection of details from the "internal use only" HP study.

                Here's a highlight but the rest is interesting too:

                "The study does not comment on the fact that the €17 million for the Microsoft solution quoted in HP's study are far below the figure calculated by the City of Munich, which stipulated €34 million (£29 million) for a Windows and Microsoft Office scenario. The likely reason for this is an assumption by HP that Munich's administration would still be using Windows XP and Office 2003 if Munich had decided to go with Microsoft products; Munich's calculations, on the other hand, include an upgrade to Windows 7."

                So HP apparently conveniently forget the City of Munich's share of the multi-billion Windows 7 upgrade costs (which Ballmer (?) recently described as an opportunity for the MS ecosystem, whereas much of the outside world sees it as an unjustifiable spend). I wonder how that happened.

      2. Chemist

        Re: Nothing to fear unless you have something to hide....

        By the way :-

        Microsoft refuses to release study challenging Munich Linux success

        "I would struggle to see how a Windows deployment would be cheaper than a Linux installment," said Roy Illsley, principal analyst at Ovum, who added that he couldn't imagine why Microsoft wouldn't release a study that actually proved that Microsoft is cheaper than Linux. "I would suspect that they read it and they suspected that there are some errors in there," he said.

      3. Anonymous Coward
        Anonymous Coward

        @mmeier - Re: Nothing to fear unless you have something to hide....

        "They tried that in Munich and it has been an unmitigated disaster, that cost tens of millions in investment from IBM, etc. that will never be recovered."

        mmeier, if you want to post anonymously, you should at least refrain from posting your typical FUD verbatim.

  28. Henry Wertz 1 Gold badge

    "Microsoft denied there was any backdoor. In a lengthy statement, a spokeswoman insisted that users cannot expect "privacy without good security"."

    Microsoft introduces a false tautology here... "a implies b" does not mean "b implies a". I don't expect privacy without good security, but some extra security (that I don't have control over) does not necessarily mean an increase in privacy. In this case, the TPM is not under user control, it is under Microsoft's control, so it does not improve privacy. Regarding security, I can't fully determine what it does but it seems to me in reality it allows for supposedly stricter DRM (digital rights restriction) systems (and maybe stricter OS tampering detection insofar as the tampering could be used to extract "protected" video and audio streams) rather than actually working to keep YOUR data any safer than it is now.

    Regarding M$'s claim that it doesn't take away user control because you can buy one with TPM disabled *by the OEM*. I'll do one better, and buy hardware with no TPM whatsoever and no Windows, thanks. Saying "you can just not buy/use XYZ" doesn't address XYZ taking away user control, which TPM undeniably does.

    Regarding Microsoft's claim that TPM doesn't interfere with installation of other OSes because Windows can be told to clear the TPM -- so, won't any "naughty" OS (like a rootkit) simply nicely ask Windows to clear the TPM, then be just the same as a TPM-less system? Plus, you would then presumably risk losing use of any rights restriction-infected files you got which rely on healthy TPM operation, with the TPM storing keys or what have you.

    The fact of the matter is, I can't say for certain TPM will do anything in particluar, but from a security standpoint in general? I do not want a black box processor which runs unknown code, updated from unknown sources at unknown times, performing unknown operations inside my system, and that is what TPM is.

  29. heyrick Silver badge

    "Since most users accept defaults, requiring the user to enable the TPM will lead to IT users being less secure by default and increase the risk that their privacy will be violated."

    This, from the company that released successive versions of their most popular version of Windows with the initial out-of-the-box user profile defaulting to being an Administrator...

    1. El Andy

      @heyrick "This, from the company that released successive versions of their most popular version of Windows with the initial out-of-the-box user profile defaulting to being an Administrator..."

      And then, in the first version that didn't (Vista), were berated by self-appointed "power users" for breaking applications and "taking away the ability to do what I want with my PC".

      Damned if they do, damned if they don't....

  30. Anteaus

    Wrong angle on security, anyway.

    Any system coded in a language which allows buffer over-runs, is vulnerable to any trivial oversight by the coder. But, tell any coder to stop using C or its derivatives, and you might as well tell them to give up coffee.

    Any Web backend whose database allows injection of commands into data, is insecure by design and should be ditched. Any chance of a replacement for SQL, minus this vuln, anytime soon? Nope. Thought not.

    Any OS or browser which continually hits the user with update-reminder popups is wide open to update spoofing by malicious sites. Better no updates than continual popups, some of which may lead to a malware download.

    Any software which encourages users to post email addresses on webpages is a crass piece of idiocy. The result will be harvesting, and spammed links to sites hosting malware. Yet, the majority of website software authors stick their heads in a bucket of sand and pretend that address harvesting isn't real.

    These are the real security issues in IT. Funny, but the industry, instead of fixing the actual causes, makes a lucrative trade out of selling symptom-treatment products. I guess there is money in this, but no money in fixing the root of the problems.

    Meanwhile, TPM will address precisely... zero of these issues.

  31. korikisulda

    "Trusted".... Microsoft clearly doesn't get the irony...

    1. Anonymous Coward
      Anonymous Coward

      Methinks they do! I'd actually be very surprised if their abuse of "trust" hadn't been the source of much mirth around Redmond.

      It appears to me that Microsoft's product naming process must be some sort of open internal competition. The winner being the suggestion which best utilises irony and sarcasm to provoke the most raucous laughter in the boardroom.

  32. All names Taken

    In years gone by these are/were reasons for making electronic kit at home.

    Might have cost more but ...

  33. Revelationman

    I have given Windows 8 a try now for close to a year, it was a mitigated disaster , constant issues, the one in particular issue was the Wi-Fi kept dropping, I tried everything even Virgin Media gave me new router, I was smart enough not to wipe the drive and keep the recovery partition., I have went back to Windows 7 and life is back to normal, I will honestly say, that Windows 8 is a mistake by Microsoft, what they should of done is just call it Windows Tablet Edition, and just kept Windows 7, But the problem Microsoft most likely does not want another Windows XP, but I work in the IT industry , and everyone has stated there will be no migration to Windows 8 but just Windows 7

    This is Microsoft's Windows ME, some say Vista, but I will go one worse , that is ME.

This topic is closed for new posts.

Other stories you might like