TPM - Its never there
It's already in essentially all laptops, it's already in essentially all "business class" desktops, it's already in some "personal class" PC's, and it's MANDATORY in ALL new Windows PC's as of 16 months from now.
Ummmm yeah........ "never".
-
Minor correction: Microsoft has declared they plan to make it mandatory starting less then a year-and-a-half from now.
-
There's lots of screaming about it, that is backed up by a big lack of knowledge about it.
I've studied all one-hundred-plus pages of the TPM technical specification. I know how it works in detail.
It really seems like something that some people just want to be a big evil issue so they pretend it is.
At one point the TPM technical specification explicitly names the owner of the computer as a potential "attacker", and explicitly states the chip must be secure against the owner. And in about a hundred places it endlessly mandates that the chip is forbidden to allow anyone, which includes the owner, to ever access the master keys.
I could see the issue if this was being required, but it isn't.
Microsoft has declared they plan to make it mandatory starting less then a year from now.
-
Also not only does Windows 8 not need secure boot, it doesn't even need UEFI...
I swear these paranoid types need to spend a bit of time getting their learn on about new technologies before whining about them....
The amount of knee-jerk that goes on with this shit is pretty amazing.
Quoting fucking MICROSOFT.COM News Center:
"Trustworthy hardware. The Trusted Platform Module is a hardware security device or chip that s a great tool for the enterprise, but until now has been an optional piece of technology for consumer devices. TPM provides a number of crypto functions, including securely storing keys and performing cryptographic measurements. We re working to require TPM 2.0 on all devices by January 2015"
You're seriously going to call me "paranoid" when Microsoft has an official public statement that they plan to make this Trusted Computing shit mandatory starting less than a year and a half from now?
Over a half-billion computers have already been shipped with this shit welded to the motherboard. THAT'S why the Ask Slashdot story is asking how to avoid this shit. A lot of computers already come with this shit on the motherboard, and not all of the sales materials list that it's in there.
-
But *no* consumer board I'm aware of ships with the *chip.*
Then you obviously haven't been paying attention. Almost all laptops are now shipping with TPMs, and they are increasingly being shipped in desktops. When I was shopping for a PC last year I spotted TPM listed in several system specification lists from different major PC vendors.
According to the Trusted Computing Group more than a half billion PCs have already shipped with the Trusted Platform Module. Computer Weekly puts it at over 600 million PCs.
And according to "ZDNET "In January 2015, TPM 2.0 will be required on all certified Windows devices".
And according to Microsoft News Center, and I quote:
The Trusted Platform Module is a hardware security device or chip that s a great tool for the enterprise, but until now has been an optional piece of technology for consumer devices. TPM provides a number of crypto functions, including securely storing keys and performing cryptographic measurements. We re working to require TPM 2.0 on all devices by January 2015
So the answer to the question, I think, remains "All of them."
You were trying so say that "all" personal computers were TPM-free, but it turns out that "All of them" is is what they plan to try and force on us starting less than a year and a half from now. And as noted, over a half billion already shipped.
-
The Globally-Unique MAC addresses seem to be a pretty blatant security and tracking problem. I've been increasingly wondering why we don't simply start randomizing the MAC address every time the device is turned on, or perhaps even randomizing it for each new connection.
Yes, in principle this could result in a random address collision between two devices. However MACs are 48 bits... this means you'd need to have over 16 million devices simultaneously connected to the same access point before there's a substantial chance of two of them randomly colliding. I'd call that a rather pretty negligible trade off to obtain some privacy and security. And if one device does detect a MAC collision it could simply re-randomize.
As for additional "security risks" of randomizing MAC addresses, not really. It's already trivially easy for someone to deliberately fake your MAC address on their own device. So no new threat there. If anything, I think randomizing (and regularly re-randomizing) the MAC address would be a security benefit. If someone does deliberately fake your MAC address, the target lock is neutralized when your device re-randomizes.
-
Ooops. Ignore my comment above.
I had Slashdot post threshhold at 3. I didn't see the AC post about Apple. I thought you were referring to the original AC post regarding the TPM.
-
TCM/TPM is often a business only feature.
That was the initial market, but the Trusted Computing Group is quite clear that they intend, as soon as they can manage it, for it to be included in all computers. And they are well on their way to achieving that. They are already included in almost all laptops, and they are increasingly showing up in desktops.
In other words, yes, you can totally opt out of buying a motherboard with TPM
The entire point of the Ask Slashdot is that it's becoming increasingly difficult to do so. More and more computers are being shipped with the TPM soldered in place, and without the product description mentioning that fact anywhere.
-
As usual, people fear what they don't understand.
I've studied the entire TPM technical specification. I understand it in minute detail.
The trick to TPM is *WHO HAS THE KEYS*. If *I* have the keys, it is a great feature.
EXACTLY!
And the entire point here is that you DON'T have the keys. The TPM technical specification is quite explicit that the owner of the computer is FORBIDDEN to ever get his keys. Specifically this means the PrivEK (Private Endorsement Key) and the SRK (StorageRootKey). The owner is forbidden to have his StorageRootKey, because the StorageRootKey is explicitly designed to encrypt data on the harddrive such that the owner of the computer cannot read or alter it. The owner is forbidden to have his Private Endorsement Key because this key is used to secure the Remote Attestation process against the owner. Remote Attestation is where the chip securely (secure against the owner) securely tracks your hardware and the software you run, and sends that spy-report out to other computers over the internet. If the owner had his Private Endorsement key, these Attestation spy-reports wouldn't be secure against the owner.
TPM is just a secure hardware keystore.
It's more than that, but an important part of it is that it's a "secure hardware keystore". Specifically, it is designed to be SECURE AGAINST THE OWNER. The Trusted Platform Module Technical Specification explicitly refers to the owner of the chip as an attack-threat which the chip MUST be secure against.
Stallman's piece focuses exclusively on TPM being implemented as a mandated piece where either the gov't or the media industry has the keys.
The "Master Keys" are held by the Trusted Computing Group. The crucial individual keys are locked inside the Trusted Computing chips, secured against the owners.
Focusing on one theoretical use case and determining the entire system is evil is just plain wrong.
Lets make it really simple. The moment they give owners some option to read their keys out of the chip, or give owners the option to buy chips that come with a printed copy of they keys, then I will jump up front and center proclaiming that Trusted Computing is wonderful and harmless... I'll lead the charge smacking down anyone claiming it's evil.
However the Trusted Computing Group has explicitly refused all demands for any sort of "Owner Override" and explicitly forbid owners to ever get a hold of their own keys. That is because the entire point of Trusted Computing is to secure computers AGAINST their owners. The entire point of Trusted Computing is that "Owners can't be trusted", so they want to be able to "Trust" computers to be secure against the owners.
The moment they allow owners to get their keys then I agree that the owner is in control.
Note that the standard argument against allowing owners to get their keys is that a virus or malware or something might get a hold of the key if it's accessible from the chip, or if it's on the harddrive anywhere. Which is a patently bullshit argument for refusing to let me buy a chip with a PRINTED COPY of my master keys. Malicious software can't read paper. End of argument. Then I can toss the printed keys in my safety deposit box at my local bank, and you can't make any believable argument that it's somehow "for my security" that you're refusing to let me get my own goddamn keys.
A simple rule for everyone:
Just say "I want my keys", NO KEYS, NO SALE
-
Are you clueless? He's not "talking sense". The whole point here is that it's becoming increasingly difficult to not-buy a TPM. A lot of motherboards now have this shit welded in place, and its presence is often not listed when you're shopping to buy a computer.
An "Ask Slashdot" on how to avoid purchasing Trusted Computing is entirely appropriate. Hell, there should be a goddamn front page story in the New York Times telling people that many computers are being shipped with TPMs, and informing the general public where to shop if they don't want to fork over money for an anti-owner TMP chip pre-welded into whatever computer they buy.
-
No, it's you missing something.
just don't buy the module.
THAT IS EXACTLY WHAT HE'S TRYING TO DO.
A lot of computers are now being shipped with TPM's SOLDERED onto the motherboard, and they are making progressing on packaging the TPM inside the CPU chip.
He doesn't want to buy that crap, I don't want to buy that crap, and the problem is that a lot of people are buying that crap without knowing it. The Trusted Computing Group has stated that part of their strategy for forcing everyone to buy into their Trusted Computing crap is to ensure that TPMs are already built in to all new computers being sold.
-
I like my jokes like I like my symphonies
-
I like my women like I like my wine....
one hundred years old and locked in my cellar.
-
The exploit transmits your identifying information to IP address 65.222.202.54. The information includes a unique tracking number generated by the exploit server, your computer's MAC address, your computer's host name, and any other IP addresses and host names visible on your local network.
This IP address traces back to a Verizon business account just outside Washington D.C., not far from FBI and CIA headquarters. You can see the IP location trace here, complete with a zoomable Google map. However note that the location trace is probably just an approximate location. Zooming all the way in shows a local shopping center, but that's probably just the location randomly landing at the "center" of a town or other service area.
-
UEFI was never intended to improve security. Along with Microsoft's extensions it was designed as a lock-in tool.
Reality check.
It looks like your post was intended to show the prior commenter was "not in touch with reality", however what you actually did was confirm that he was right. Your conclusion states "Secure Boot wouldn't be a problem
And yeah, TrustedComputing&Secureboot are a truckload of extremely malignant problems even if Linux were a majority share of desktops.
-
Ya'll hear about the geometer who went to the beach to catch some rays and became a tangent ?
