this post was submitted on 06 Jan 2024
296 points (90.7% liked)

Technology

59285 readers
2779 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

RIP Microsoft WordPad. You Will Be Missed::It's truly the end of an era as we say farewell to a real one.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 3 points 10 months ago (1 children)

To me it isn't even the bloat and spyware, because you can possibly patch those out. To me the issue with 11 and 12 is that they require you to have TPM which potentially could be used to remotely disable your computer without your consent.

You are better off not encrypting your device with it because you can circumvent TPM entirely if you have physical access or admin rights anyway. (So full disk encryption would not work if you were raided). It is a security flaw, and I am certain that the purpose is to allow backdoors and for Digital Rights Management, and you want neither on your computer.

[–] [email protected] 6 points 10 months ago (2 children)

Well I have good news for you, the TPM can't do those things. The TPM is just a hardware module that stores cryptographic keys in a tamper-resistant chip, and can perform basic crypto functions.

In of itself, it can't be addressed remotely, but it is usually used as a component of a greater security scheme. For example, in full disk encryption, it can be used to ensure that disk can't be decrypted on a different device.

There's been a lot of FUD surrounding TPMs, and it doesn't help that the actual explanation of their function isn't something easily described in a couple of sentences.

There's no reason to be afraid of a TPM, and for the privacy-minded and security-conscious, it can even be used as part of a greater security scheme for your device and its data.

Of course at the same time, it's not a feature most home users would make full use of, and as for not liking Windows, carry on. There's plenty of reasons to avoid it if those things are important to you

[–] [email protected] 2 points 10 months ago (1 children)

May I ask a question out of curiosity? If my system dies on a hardware level, and I have to save my hard drive, how can I access it then if I can't put it in another system?

[–] [email protected] 2 points 10 months ago

Generally commercial drive encryption solutions, like Bitlocker, usually has a backup recovery key that can be used to access the encryption key if your TPM is reset, or if your device dies.

So I guess the short answer is most of these solutions don't fully protect it from being moved to another device, they just add another layer of security and hassle that makes it harder to do. And without the TPM as part of these solutions, you would be entering a 48-character passphrase every time you boot your device, which has several security flaws of its own.

[–] [email protected] 1 points 10 months ago* (last edited 10 months ago) (1 children)

Assuming you use bitlocker on your PC, how do you know the entire content of the TPM (your bitlocker encryption key, etc) cannot be fetched from the TPM by the manufacturer or any third parties they shared it tools and private keys with?

It is my understanding that every TPM has a predetermined private key inside that you the user cannot see, but how can I be sure no one else does either?

And because it is hardware based, how do I as a user know that it does what it claims it does as I would with a software based encryption software that is open source (like truecrypt/veracrypt).

As for DRM, doesn't Xbox series have their equivalent chips that specifically is used for DRM? Also wasn't DRM listed as one of the features when they introduced TPM?

[–] [email protected] 3 points 10 months ago (1 children)

Assuming you use bitlocker on your PC, how do you know the entire content of the TPM (your bitlocker encryption key, etc) cannot be fetched from the TPM by the manufacturer or any third parties they shared it tools and private keys with?

The TPM specification is an open standard by the Trusted Computing Group, and there are certification organizations that will audit many of these products, so that's a good place to begin.

As with any of the hardware in your device, it does require some amount of trust in the manufacturers you have chosen. These same concerns would apply to anything from the onboard USB controllers to the CPU itself. There's no way to be absolutely certain, but you can do your due diligence to get a reasonable level of confidence.

And because it is hardware based, how do I as a user know that it does what it claims it does as I would with a software based encryption software that is open source (like truecrypt/veracrypt).

This is a reasonable thing to think about, although very few individuals are qualified to understand and audit the source code of encryption software either, so in most cases you are still putting your faith in security organizations or the community to find issues.

When it comes to security, it often comes with a trade-off. Hardware devices can achieve a level of security that software can't completely reproduce, but they are a lot harder to audit and verify their integrity.

In any case, the TPM is something that software solutions have to explicitly call in the first place, it isn't something that activates itself and starts digging into your hard drive. Which means if you don't want to use it in your security solution, then it will sit there and do nothing. You can keep using your encryption keys in clear memory, visible to any privileged software.

I don't know specifically about the XBox and how it uses it, but the TPM absolutely can be used as part of a DRM scheme. Since the TPM can be used to encrypt data with a key that can't be exported, it could be part of a means to hinder copying of content. Of course this content still has to be decrypted into memory in order to be used, so people looking to defeat this DRM usually still can. DRM as a whole is often shown to be a pretty weak solution for copy protection, but companies won't stop chasing it just the same.

[–] [email protected] 0 points 10 months ago

I am a software developer, so I have some confidence that I can at least personally verify that the source doesn't do anything malicious.

And while the software doesn't have to use TPM, it shouldn't be up to the software, it should be up to me, the user.

Windows 11 enforces using TPM 2.0, so I get no choice in the matter.

If it becomes standard to use TPM, I the user lose control.

You can keep using your encryption keys in clear memory, visible to any privileged software.

What kind of software would I give kernel level access to? Honestly the only thing I can think of is if I ran it all in a virtual machine and the VM memory was dumped, but other than that, it would imply the OS itself is accessing the RAM, or a hardware level vulnerability allows it, but at this point, how is TPM even going to help?