RSS FeedBlogs
RSS FeedSubscribe to this blog
About Author
Glyn Moody

Glyn Moody's look at all levels of the enterprise open source stack. The blog will look at the organisations that are embracing open source, old and new alike (start-ups welcome), and the communities of users and developers that have formed around them (or not, as the case may be).

Windows 8+TPM: Germany Warns of 'Loss of Control'

Article comments

Last year, I wrote about some serious issues with Microsoft's Secure Boot Technology in Windows 8. It seems that the German government has started to wake up to problems with Windows 8, as this headline in Die Zeit attests:

German government warns about Windows 8

More specifically, it's the Trusted Platform Module (TPM) that could cause trouble according to the newspaper:

Windows 8 is an unacceptable security risk for companies and authorities, experts warn the government. So-called "Trusted Computing" is a back door for the NSA.

This was picked up by InvestmentWatch, in a story that was widely linked (including by me.):

According to leaked internal documents from the German Federal Office for Information Security (BSI) that Die Zeit obtained, IT experts figured out that Windows 8, the touch-screen enabled, super-duper, but sales-challenged Microsoft operating system is outright dangerous for data security. It allows Microsoft to control the computer remotely through a built-in backdoor. Keys to that backdoor are likely accessible to the NSA – and in an unintended ironic twist, perhaps even to the Chinese.

Rather unusually, this has prompted Germany's Federal Office for Information Security (BSI in German) to issue a statement about these press reports. Here's a rough translation of the key paragraph:

From the BSI's perspective, the use of Windows 8 combined with TPM 2.0 is accompanied by a loss of control over the operating system and the hardware used. As a result, new risks arise for the user, especially for the federal government and for those providing critical infrastructure. In particular, on hardware running Windows 8 that employs TPM 2.0, unintentional errors of hardware or the operating system, but also errors made by the owner of the IT system, could create conditions that prevent further operation of the system. This can even lead to both the operating system and the hardware employed becoming permanently unusable. Such a situation would not be acceptable for either the federal authorities or for other users. In addition, the newly-established mechanisms can also be used for sabotage by third parties. These risks must to be addressed.

As can be seen from this clarification, we are not dealing with a security vulnerability – unlike an earlier story regarding Microsoft passing zero-day exploits to the NSA for use against governments and companies. Rather, this is about the worrying fact that a system you own might stop working for reasons that are completely beyond your control.

What the German government is saying is something that I have emphasised for many years: that the key benefit of using free software software is not really financial, although it may well be cheaper to run open source systems than proprietary ones, depending on the exact circumstances. Rather, what free software gives is what its name proclaims: freedom. It lets you use your software and system as you wish, not subject to external constraints.

The importance of this aspect is greatly underestimated. After all, no company would accept that it could be told how to use its offices, or that it must buy new company cars when manufacturers order it. And yet that is pretty much what proprietary computer software companies are able to do. The warning from the German government is really just another way of putting this: if you wish to be in control of your systems, do not deploy Windows 8 with TPM 2.0. It's only a pity that the German government didn't take the next step and explicitly recommend the use of open source software to place control firmly in the user's hands.

Follow me @glynmoody on Twitter or, and on Google+


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
* *