
German Government Warns Key Entities Not To Use Windows 8 – Links The NSA - devx
http://investmentwatchblog.com/leaked-german-government-warns-key-entities-not-to-use-windows-8-links-the-nsa/
======
rainsford
This is among the sillier NSA stories I've read. First of all, the "link to
NSA" was basically invented out of thin air. The original article in Die Zeit
as well as this one are basically just reporting that TPM COULD be a
"backdoor" for the NSA but not actually supporting the idea that it IS.

And beyond the issue of baseless speculation as a replacement for journalism,
it's a little hard to understand why NSA (or anyone else) controlling TPM is a
special threat to users. Despite what the article claims, I don't think TPM is
a "backdoor" and it certainly isn't a "surveillance chip". And the articles
don't explain how control over TPM gives someone a special advantage over
computers with TPM support, an explanation I'm not holding my breath for.

~~~
forgottenpaswrd
Excuse moi, man, but TPM IS a backdoor.

How would you define that when MS wants it could enter your computer and
control it without you ever realizing.

Then if something is proven is that if Microsoft can, then NSA can too.

Why Microsoft controlling the crypto keys to your computers is a problem? Are
you serious?

Why American companies controlling all the computers of the rest of the world
is an issue?

Europe for one should not depend on American companies for basic use of their
computers. This is obvious, if you are not American.

~~~
rbanffy
> This is obvious, if you are not American.

This should be obvious, regardless of nationality.

~~~
iooi
It is. Just look at the GP's comment history and it becomes pretty obvious
that it's a shill adamantly defending the NSA.

~~~
rbanffy
> adamantly defending the NSA

Is it even possible?

------
guardian5x
The story is false, and the BSI (Federal Office for Information Security) has
declined the rumours and explicitly does NOT warn of Windows 8:
[https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2...](https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2013/Windows_TPM_Pl_21082013.html)

it was just a story made up by a german site (zeit.de)

~~~
mtgx
The story seems to be from leaked internal documents. Haven't we learned
better over the past 2 months than trusting the "official statements"
afterwards, that inevitably deny it whether it's true or not?

At the very least, I think this deserves more exploring. It's not the first
time I saw the Germans weren't happy with Windows 8 and its "secure boot".
This is from last November:

[http://www.linuxbsdos.com/2012/11/21/german-govt-comes-
out-a...](http://www.linuxbsdos.com/2012/11/21/german-govt-comes-out-against-
trusted-computing-and-secure-boot/)

And it seems the source for that is _your_ source. So are they contradicting
themselves now?

[http://www.bmi.bund.de/SharedDocs/Downloads/DE/Themen/OED_Ve...](http://www.bmi.bund.de/SharedDocs/Downloads/DE/Themen/OED_Verwaltung/Informationsgesellschaft/trusted_computing_eng.html)

~~~
arnehormann
Those are different sources. BMI = "Bundesministerium des Inneren", interior
ministry. BSI = "Bundesamt für Sicherheit in der Informationstechnik", federal
office of IT security. And they are not contradicting themselves. The
statement they just issued reiterated Windows 8 is not safe for government and
critical infrastructures.

------
tty
Previous discussion

[https://news.ycombinator.com/item?id=6248010](https://news.ycombinator.com/item?id=6248010)

~~~
throwawaykf02
And the most important comment on that thread, which is unfortunately not at
the top:

[https://news.ycombinator.com/item?id=6249933](https://news.ycombinator.com/item?id=6249933)

------
thomasz
Wrong.

[http://www.heise.de/newsticker/meldung/BSI-Trotz-
kritischer-...](http://www.heise.de/newsticker/meldung/BSI-Trotz-kritischer-
Aspekte-keine-Warnung-vor-Windows-8-1940081.html)

~~~
sdfjkl
From that article:

 _However, this means no all clear in terms of Trusted Computing. While the
publicly available TPM 2.0 specification includes no back-doors, any
implementation might do so, either by malicious intent, due to implementation
errors or government pressure. This risk can be met only if implementations
are scrupulously tested and certified by independent bodies. This is not the
case with the integrated TPM of current Windows 8 tablets, to name just one
example._

------
RDeckard
Can't tell fact from fiction these days. What is the credibility of
investmentwatchblog.com ?

~~~
adamnemecek
The sentence "Microsoft [...] informs the US government of security holes in
its products well before it issues fixes so that government agencies take
advantage of the holes and get what they’re looking for." kind of suggests how
credible the source is.

~~~
maxden
That was reported in a bloomberg story also:
[http://www.bloomberg.com/news/2013-06-14/u-s-agencies-
said-t...](http://www.bloomberg.com/news/2013-06-14/u-s-agencies-said-to-swap-
data-with-thousands-of-firms.html)

It obviously gives the Govt time to protect themselves, but could also exploit
it on other systems.

~~~
adamnemecek
I'm aware of the fact that they were informed first but I'm not aware of
instances of gov't agencies using these exploits to get 'what they are looking
for'.

~~~
levosmetalo
> I'm aware of the fact that they were informed first but I'm not aware of
> instances of gov't agencies using these exploits to get 'what they are
> looking for'.

Were you aware of NSA surveilance before Snowden?

It all comes down to trust, and once there is no more trust (like in case of
US gov) then the burden of proof they are not doing anything wrong is on them.

~~~
adamnemecek
Sure. At the same time, even if trust was broken does not imply that NSA was
using <0 day exploits which is what the article was saying. Or can I start
posting blog posts about NSA developing super-AIDS since it has not proven
that it is not?

~~~
levosmetalo
No need to pull up AIDS "conspiracy"/conspiracy theories.

NSA has been already caught spying on everyone in the world. The method
explained allows them more spying. Would you risk your country security, or
your own business relying on a piece of technology that NSA or anyone else
_can_ use for spying on you? Given a choice between multiple platforms why
would you choose one vulnerable to spying and inherently unsecure?

~~~
adamnemecek
Your comment if off-topic. Article said, "Microsoft gives NSA exploits which
they then use to spy on people". I pointed out that there is not a single
recorded instance of that.

------
alimbada
Seems very sensational. Where in my 6 year old Core2Quad machine would I find
these fabled chips? Or for that matter, where on a modern motherboard would I
find one?

~~~
mtgx
This is what the "trusted environments" on chips can be used for, which are
currently at least used for DRM (but who knows what else). This is something
people like Richard Stallman and Cory Doctorow have warned for _years_ \- that
allowing them to DRM your machine at the hardware level, inevitably means the
machines will eventually be used against you for different purposes, including
surveillance or censorship.

This is exactly what the NSA is implying when they say they want to be the
"anti-virus of the Internet". TPM will allow Microsoft and/or NSA to
_remotely_ disable viruses from every computer - and course anything else they
want - anywhere in the world, and that's how they will promote it to normal
people: "It will make you safe".

~~~
ds9
All that is correct, but it needs (a) support in software and (b) the outside
party having secret values mathematically related to the "attestation key"
embedded in the TPM. The OS designed for this kind of system then uses the TPM
to verify the signature, hash or whatever of software, and would either shut
down any unapproved software or deny access to the DRM'd data.

I don't know whether Windows 8 is like that, but anyway you can opt out of it
by using an OS that doesn't support any remote control. In many BIOS's you can
turn TC support off.

Here is the formerly canonical, maybe dated now, overview of TC
[http://www.cl.cam.ac.uk/~rja14/tcpa-
faq.html](http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html)

------
frank_boyd
I still don't know why people limit the scope of surveillance
products/services to Microsoft.

There are a handful of companies to avoid that work with the NSA.

If you have missed the list, check out the slides:
[http://www.theguardian.com/world/2013/jun/08/nsa-prism-
serve...](http://www.theguardian.com/world/2013/jun/08/nsa-prism-server-
collection-facebook-google)

~~~
tehabe
It is not about Windows 8 but about TPM 2.0. Which basically limits the
control over your computer, it might be mostly harmless for private users but
for governments and critical infrastructure it is not.

------
Zoomla
"It allows Microsoft to control the computer remotely through a built-in
backdoor." Like every other mobile OSes...

------
mrt0mat0
So.... Linux everyone?

~~~
rdtsc
This would be the time for Canonical to move in and pitch Ubuntu.

------
jister
if hackers wants to hack your server it doesn't matter what OS your using.

~~~
rbanffy
True. But you don't have to provide a nice backdoor for them to use, do you?

Every system has a set of exploitable vulnerabilities. Each of those
vulnerabilities is known by a set of parties other than you. With Windows you
can be sure those sets have at least one element each.

------
shortcj
what about 'Intel inside' do you not understand?

