This is among the sillier NSA stories I've read. First of all, the "link to NSA" was basically invented out of thin air. The original article in Die Zeit as well as this one are basically just reporting that TPM COULD be a "backdoor" for the NSA but not actually supporting the idea that it IS.
And beyond the issue of baseless speculation as a replacement for journalism, it's a little hard to understand why NSA (or anyone else) controlling TPM is a special threat to users. Despite what the article claims, I don't think TPM is a "backdoor" and it certainly isn't a "surveillance chip". And the articles don't explain how control over TPM gives someone a special advantage over computers with TPM support, an explanation I'm not holding my breath for.
I don't like DRM chips period. I don't care if Microsoft, NSA or whoever puts it in I'm either not buying it or if I don't have a choice I'm heating up my soldering iron.
No chip is going to stop me from installing whatever the hell I want on my computer.
In all seriousness how feasible is it to run a hot air gun over the TPM chip and remove it before even you first boot the computer? Would the computer boot? And if it does, would it just go with "Oh, I thought I came equipped with a TPM chip. I don't seem to have one. Oh well, let's carry on anyway"?
And you dont have to use a TPM module in a pc all the consumer motherboards i have looked at for my latest hazwell build dont have them just a header in case you want to add one.
You might want to read that linked statement again. The BSI criticizes the sensationalist wording and generalization ("bad for all users") in the Die Zeit story, but emphasizes the key point that it's unacceptable for critical infrastructures to give up full control over your own systems by being forced to use TPM 2.0.
The story seems to be from leaked internal documents. Haven't we learned better over the past 2 months than trusting the "official statements" afterwards, that inevitably deny it whether it's true or not?
At the very least, I think this deserves more exploring. It's not the first time I saw the Germans weren't happy with Windows 8 and its "secure boot". This is from last November:
Those are different sources. BMI = "Bundesministerium des Inneren", interior ministry. BSI = "Bundesamt für Sicherheit in der Informationstechnik", federal office of IT security. And they are not contradicting themselves. The statement they just issued reiterated Windows 8 is not safe for government and critical infrastructures.
However, this means no all clear in terms of Trusted Computing. While the publicly available TPM 2.0 specification includes no back-doors, any implementation might do so, either by malicious intent, due to implementation errors or government pressure. This risk can be met only if implementations are scrupulously tested and certified by independent bodies. This is not the case with the integrated TPM of current Windows 8 tablets, to name just one example.
The sentence "Microsoft [...] informs the US government of security holes in its products well before it issues fixes so that government agencies take advantage of the holes and get what they’re looking for." kind of suggests how credible the source is.
I'm aware of the fact that they were informed first but I'm not aware of instances of gov't agencies using these exploits to get 'what they are looking for'.
> I'm aware of the fact that they were informed first but I'm not aware of instances of gov't agencies using these exploits to get 'what they are looking for'.
Were you aware of NSA surveilance before Snowden?
It all comes down to trust, and once there is no more trust (like in case of US gov) then the burden of proof they are not doing anything wrong is on them.
Sure. At the same time, even if trust was broken does not imply that NSA was using <0 day exploits which is what the article was saying. Or can I start posting blog posts about NSA developing super-AIDS since it has not proven that it is not?
No need to pull up AIDS "conspiracy"/conspiracy theories.
NSA has been already caught spying on everyone in the world. The method explained allows them more spying. Would you risk your country security, or your own business relying on a piece of technology that NSA or anyone else can use for spying on you? Given a choice between multiple platforms why would you choose one vulnerable to spying and inherently unsecure?
Your comment if off-topic. Article said, "Microsoft gives NSA exploits which they then use to spy on people". I pointed out that there is not a single recorded instance of that.
> Or can I start posting blog posts about NSA developing super-AIDS since it has not proven that it is not?
I don't see why not. The same logic is used by the governments' war on terror. "We're going to detain you and put you on a 'no fly' list until you prove you aren't a terrorist".
You do know that both the CIA and the KGB use propaganda during the cold war and post collapse of the USSSR ? The CIA funded a cartoon of animal farm for example.
Seems very sensational. Where in my 6 year old Core2Quad machine would I find these fabled chips? Or for that matter, where on a modern motherboard would I find one?
This is what the "trusted environments" on chips can be used for, which are currently at least used for DRM (but who knows what else). This is something people like Richard Stallman and Cory Doctorow have warned for years - that allowing them to DRM your machine at the hardware level, inevitably means the machines will eventually be used against you for different purposes, including surveillance or censorship.
This is exactly what the NSA is implying when they say they want to be the "anti-virus of the Internet". TPM will allow Microsoft and/or NSA to remotely disable viruses from every computer - and course anything else they want - anywhere in the world, and that's how they will promote it to normal people: "It will make you safe".
All that is correct, but it needs (a) support in software and (b) the outside party having secret values mathematically related to the "attestation key" embedded in the TPM. The OS designed for this kind of system then uses the TPM to verify the signature, hash or whatever of software, and would either shut down any unapproved software or deny access to the DRM'd data.
I don't know whether Windows 8 is like that, but anyway you can opt out of it by using an OS that doesn't support any remote control. In many BIOS's you can turn TC support off.
It is not about Windows 8 but about TPM 2.0. Which basically limits the control over your computer, it might be mostly harmless for private users but for governments and critical infrastructure it is not.
True. But you don't have to provide a nice backdoor for them to use, do you?
Every system has a set of exploitable vulnerabilities. Each of those vulnerabilities is known by a set of parties other than you. With Windows you can be sure those sets have at least one element each.
And beyond the issue of baseless speculation as a replacement for journalism, it's a little hard to understand why NSA (or anyone else) controlling TPM is a special threat to users. Despite what the article claims, I don't think TPM is a "backdoor" and it certainly isn't a "surveillance chip". And the articles don't explain how control over TPM gives someone a special advantage over computers with TPM support, an explanation I'm not holding my breath for.