“Loss of Control Over the Operating System and the Hardware”
I expected the German Federal Office for Security in Information Technology (BSI) to contact me in an icily polite but firm manner and make me recant, and I almost expected some goons to show up with an offer I couldn’t refuse, and I half expected Microsoft to shut down my computers remotely and wipe out all my data and make me, as the Japanese say, cry into my pillow for weeks, or something. But none of that happened.
Instead, the BSI officially confirmed on its website the key statements in what has become my most popular article ever. On my humble site alone, it was read over 44,000 times so far, received over 2,090 Facebook “likes,” and was tweeted over 530 times. Here it is: LEAKED: German Government Warns Key Entities Not To Use Windows 8 – Links The NSA.
Internal documents from the BSI that were leaked to Die Zeit described how Windows 8 in conjunction with the new Trusted Platform Module (TPM 2.0) – “a special surveillance chip,” it has been called – allowed Microsoft to control computers remotely through a built-in backdoor without possibility for the user to opt in or opt out. The goal is Digital Rights Management and computer security. Through remote access via this backdoor, Microsoft determines what software is allowed to run on the computer, and what software, such as illegal copies or viruses and Trojans, should be disabled. Keys to that backdoor are likely accessible to the NSA – and in an ironic twist, perhaps even to the Chinese.
Users of Windows 8 with TPM 2.0 (the standard configuration and not an option) surrender control over their machine the moment they turn it on. For that reason, according to the leaked documents, experts at the BSI warned the German Federal Administration and other key users against deploying computers with Windows 8 and TPM 2.0.
The BSI could have brushed off these leaked documents as fakes or rumors, or whatnot. But instead, in response to “media reports,” it decided to clarify a few points on its website, and in doing so, confirmed the key elements. Here are the salient points:
For specific user groups, the use of Windows 8 in combination with TPM may well mean an increase in security. This includes users who, for various reasons, cannot or do not want to take care of the security of their system, but trust that the manufacturer of the system provides and maintains a secure solution. This is a valid user scenario, but the manufacturer should provide sufficient transparency about the potential limitations of the architecture and possible consequences of its use.
From the perspective of the BSI, the use of Windows 8 in combination with TPM 2.0 is accompanied by a loss of control over the operating system and the hardware. This results in new risks for the user, specifically for the Federal Administration and critical infrastructure.
It explains how “unintentional errors” could cause hardware and software to become permanently useless, which “would not be acceptable” for the Federal Administration or for other users. “In addition, the newly established mechanisms can also be used for sabotage by third parties.”
Among them: the NSA and possibly the Chinese.
The BSI considers complete control over the information technology – including a conscious opt-in and later the possibility of an opt-out – a fundamental condition for a responsible use of hardware and operating system.
Since these conditions have not been met, the BSI has warned the “Federal Administration and critical infrastructure users” not to use the Windows 8 with TPM 2.0. The BSI said that it remained in contact with the Trusted Computing Group as well as with makers of operating systems and hardware “in order to find appropriate solutions” (whole text in German).
This alleged connection between Windows and the NSA isn’t new. Geeks have for years tried to document how Microsoft has been cooperating with the NSA and other members of the US Intelligence Community in designing its operating systems. For example, rumors bubbled up in 2007 that computers with Vista, at the time Microsoft’s latest and greatest (and much despised) operating system, automatically established a connection to, among others, the Department of Defense Information Center and Halliburton Company, back then the Darth Vader of Corporate America.
The Windows 8 debacle comes on top of the breathless flow of Edward Snowden’s revelations and paint a much more detailed picture of how the NSA’s spying activities are dependent on Corporate America. These revelations are already slamming tech companies as they find it harder to sell their allegedly compromised products overseas. Which foreign government or corporation would now want to use Windows 8 with TPM 2.0?
Or is this – and the entire hullabaloo about the Snowden revelations – just another item in the governmental and corporate category of “This Too Shall Pass?” The answer lies in this paragraph:
No laws define the limits of the NSA’s power. No Congressional committee subjects the agency’s budget to a systematic, informed and skeptical review. With unknown billions of Federal dollars, the agency purchases the most sophisticated communications and computer equipment in the world. But truly to comprehend the growing reach of this formidable organization, it is necessary to recall once again how the computers that power the NSA are also gradually changing lives of Americans….
The year? Not 2013. But thirty years ago.
It was published by the New York Times in 1983, adapted from David Burnham’s book, The Rise of the Computer State [brought to my attention by @mark_white0]. And we’re still going down the same road. Only now, we’re a lot further along. No wonder that tech companies, government agencies, and Congress alike think that this too shall pass. Because it has always done so before.
Enjoy reading WOLF STREET and want to support it? Using ad blockers – I totally get why – but want to support the site? You can donate. I appreciate it immensely. Click on the beer and iced-tea mug to find out how:
Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.