96

[UPDATE] German government calls security within Windows 8 "unacceptable" – continues switching their machines over to Linux

Do you trust Microsoft’s latest operating system, Windows 8? If you are the Federal Republic of Germany, the answer to that question is "no". Last week internal documents from IT professionals within the government showed a strong rejection of the new operating system calling it "unacceptable for the federal administration and the operators of critical infrastructure".

The German government feels technology within the latest operating system create a dangerous backdoor that could allow access to confidential information. With the United States’ Nation Security Agency in the not so positive spotlight recently, concerns of keeping confidential data secure is at an all-time high.

The new trust issue is ironically due to the latest version of Trusted Computing – a technology developed to enforce behavior on a PC. The operating system works with a Trusted Platform Module (TPM) chip to coordinate and regulate what software can be run on a PC and how secure data is managed. The idea behind the Trusted Computing platform is to prevent malicious software and code from running on your machine.

The latest edition of the TPM chip included with Windows 8 will come already activated when you receive a new PC. In addition, while you can "disable" the TPM chip, there is no way to completely shut it off and insure that it won’t re-enable itself.

While this all might sound keen and dandy to the average user, the new Trusted Computing platform could possibly serve as a backdoor into the system when updates are pushed. The new TPM chip also removes complete control from the user without a firm way to opt-in and opt-out of the technology.

In an official statement, Germany’s intelligence agency stated that:

"The BSI warns neither the public nor the Federal German company prior to any deployment of Windows 8, the BSI currently provides, however, some critical aspects related to specific scenarios in which Windows 8 is operated in combination with a hardware is that has a TPM 2.0., for certain groups of users, the use of Windows 8 in combination with a TPM may well mean an increase in safety. This includes users who cannot or for various reasons do not worry about the security of their systems want, but the manufacturer of the system trust that this provides and maintains a safe solution. "

(Please note the above quote was translated from German into English and therefore may not be completely accurate word for word.)

The biggest problem for Microsoft? The Munich city administration in Germany has already decided they prefer to go without Windows and take a different route for increased security in the future – Linux. The city had begun a transition to switch all of their machines from Windows to Linux; the transition began ten years ago, but to government officials today – it doesn’t seem to be a bad idea. The entire city administration for Munich expects a completion date sometime in late 2013.

Here in the United States, the government has been using Linux on its backend servers for a long time, but a strong partnership with Hewlett-Packard keep PCs running Windows XP and Windows 7 front and center.

UPDATE: We are not going as far to insinuate that the NSA or other government agencies would actually use a TPM chip to gain access to a secure machine. In addition, there have been a few reports stating that the German government may have or may not have made certain statements – either way, our focus is to discuss the current possible security faults with the second generation of the Trusted Platform hardware and Microsoft’s Windows 8 operating system.

Source: The Register (UK)

3
loading...
23
loading...
14
loading...
0
loading...

Comments

There are 96 comments. Sign in to comment

This information is not true!!!!!
Please read this: http://www.zdnet.com/dont-let-paranoia-over-the-nsa-and-tpm-weaken-your-security-7000019791/?s_cid=e064&ttag=e064
 
These TPM chips are produced by a company in GERMANY!!!!! This information has already proven to be a conspiracy...

Hi Robert, we got your opinion. Please don't spam the thread multiple times. Thanks.

It's disappointing that you continue to spread this false information instead of correcting your mistake. Way to take away from your own credibility.
 
This is the reason tech journalism is the worst.

korg250 says:

This was the first time I saw the zdnet article. So, thank you Robert.
Also, Michael, if you already knew about this story being a conspiracy, why didn't you mention in the article? Or only your opinion matters here?

This was not an opinion piece, if you reread the article you will find that I did not insert my own opinions – only reiterated previously announced information. There are a lot of "conspiracies" on the internet and as you can see, once we were able to find doubt on the topic we updated with a statement. Thanks for reading!

Lame response. Accept your mistake when you make one rather than defending.

Blau34 says:

Fact is that BSI said "Windows 8 might be a risk with TPM 2". And all Government institution shouldn´t use it.
I know it. One of our customer is an Government institution. I know that they did not migrate to Windows 8.

jasonxz says:

So, what your saying is that if a government entity doesn't migrate to the version of Windows that's less than a year old, it HAS to be related to this report.

Blau34 says:

And they also stop migration to Windows 7. At the moment.
And this Migration was planed for the end of 2013.

greg2k says:

All this TPM scaremongering needs to stop. Never in my life have I seen a case where TPM results in lower security.

WinFan1 says:

guys guys i realize my comment was not very constructive, but im getting notified about this conversation i couldnt care less about because you guys piggy backed my comment. :(

iyae says:

How about you actually leave a real comment then next time?

WinFan1 says:

Don't remember needing your permission to comment any way I please but thanks anyway.

Tips_y says:

I don't read any sort of permission in what he said. If anything, it was more a suggestion, or better yet sarcasm.

CommonBlob says:

This sounds like nonsense to me. Linux *can* be more secure, of course, but Linux suffers as many security exploits as windows. Infact, if i recall its about 4 times as many as windows 8.
Anyway, hacks these days are from social engineering, and i bet the users in Germany on Linux are as dense as those on windows :)

ThePangolino says:

That's very accurate. As Linux being an UNIX type operating system, it has been inherently more secure than the earlier versions of Windows. Today of course, Microsoft managed to catch up. The "social engineering" attack is also much harder to pull of as it is highly unusual for a Linux user to have to download anything from the web then have to run it. Moreover compiling a program is an insanely hard thing to do! Instead, installing programs is done via repositories which are very similar to the various app stores yous see now popping up in various platforms.

link68759 says:

Compiling isn't hard at all, and operating systems like FreeBSD completely automate it for you to the point that you just have to type "make install" and watch it go...

ymcpa says:

Take it one step further. These are government worker users. They are more dense then even the average user.

Linux is open source, windows is closed source, and microsoft has been proven to work with the nsa and has been caught multiple times lying about it.

realwarder says:

You do know that Microsoft shares the source code to governments for review if demanded.

Blau34 says:

And that is the reason the BSI knows that Windows 8 might be a risk.

NightWatch71 says:

Really? Didn't know that. That alone simply makes most of the conspiracy theories pointless.

Duffau says:

Oh really? Been caught several times eh? I'd love to see some proof, but you probably won't reply.

The statement: https://www.microsoft.com/en-us/news/Press/2013/Jul13/07-11statement.aspx

>To be clear, Microsoft does not provide any government with blanket or direct access to SkyDrive, Outlook.com, Skype or any Microsoft product.

The prism slide: http://a.pomf.se/4Lw0.png

Microsoft was actually the first companny to join. You probably didn't even look trhough all the leaked documents and that's why you act so ignorant.

Duffau says:

Ok so here's what you said:

Linux is open source, windows is closed source, and microsoft has been proven to work with the nsa and has been caught multiple times lying about it.

And here's what I said:

Oh really? Been caught several times eh? I'd love to see some proof, but you probably won't reply.

So take a minute to actually read my response to what you actually said before calling people ignorant. I asked for specific proof of where MS was caught lying, several times no less. And even if we we're discussing what you posted about, the order in which companies got signed up makes no difference, they are all signed up (what do you suggest they do, say FU to the government?). Also, MS has always stated in the past that they will provide very specific info (not blanket and direct access) when a government agency demands it (especially when they must legally comply). I'm still waiting for the part where they were caught lying.

explosive0 says:

Definitely not nonsense. Did you even read the article? This is particularly related to TPM in Windows 8.

FeedTheShark says:

Just another MS hater and Linux lover somehow got a top job and strong armed people into "saving money using Linux", not thinking how difficult it will be for users to switch.
"So just open that Excel file the French adminstration sent over Henrich"
"Errr nein possible"

I assume you gave not used any modern distros like ubuntu or elementaryos.

Wouldnt this be a quick fix?  Wasnt this in place indirectly for government backdoor use anyway?  Im confused.  Im pretty sure MS already knows of this "bck door".

Adorath says:

I don't see any reason why a government can't develop their own OS... Why should they use win8?

RyanAMG says:

Lets not get the Germans side tracked. We need them to keep making kick ass cars.

willied says:

Those car companies aren't owned by the government so they really have nothing to do with each other.

RyanAMG says:

No shit dumb ass. Look up what a joke is you may learn something.

willied says:

Wow, you sure took that hard. You might want to check yourself into anger management.

inurear says:

Linux being open source allows them to modify the O/S to their liking, virtually like having their "own OS"

Apple did the same thing, thus, MountainLionX ect, is based off of linux as well.
 

Ordeith says:

OSX is FreeBSD, not Linux.

Bob Shiska says:

OS X is a Unix OS, based on BSD and certfied as being UNIX-compliant. Linux is not a UNIX variant, though largely compatible.

ymcpa says:

Probably because any attempt by a government agency to create their own OS will last ten years, go millions over budget, will be obsolete when finished, and won't be able to do the things that were promised. That's what happened when the IRS not to long ago tried to modernize their networks.

Kellzea says:

Yeah sure, a government COULD just randomly build their own OS. But with no experience, no basis and no idea, its probably not gonna be as good as windows or Linux. They could always copy windows or Linux, and then as they are a government they are immune to copywrite if they want to be.

Wouldn't go down well with the eu or the usa, but hey, better than buying something for a billion cheaper than you can make it yourself yeah?

Dumbass

Bob Shiska says:

Cost. Why should they hire a whole bunch of people to modify and keep up to date a Linux distro when they can just buy something off the shelf?

Viipottaja says:

Err... Because that's not the role of the Government?

MBaumi says:

Why do you use the picture of US Politicans watching the execution of Bin Laden? Where's the context?

Read the paragraph above it.

Blau34 says:

they are the Spys. As everyone in world know now.

DJCBS says:

Yes they should, specially with the US Government spying on foreign countries, even those who are supposed to be their allies.
That said, Microsoft should think seriously about addressing the concerns of the German government...'cause if Germany switches to Linux, you can bet other European countries will follow...

Blau34 says:

this is a trend in all European countries.

Blau34 says:

It is. i said a trend. Not a fact.

Rockartisten says:

Whatever trend you are referring to, it does not translate into any numbers.

Blau34 says:

We will see what happen in next years.

Rockartisten says:

Yeah, this is the year of Linux. Where have I heard that before?

Blau34 says:

This is not the discussion. There is no statement from BSI to use LINUX.
But now all look if MS is really needed inside Goverment Instuitutes.

Pato49 says:

I agree, it is a trend. In France, some ministry have already switched to Linux and the prime minister has written a letter saying that it was better to use open source software in administrations. Of course, users often prefer Windows, so it is still chosen in administration, but European countries starts to worry about their online security and possible backdoors to foreign countries.

gevabar says:

Is Linux secure because nobody bothers with it???, if more governments and business use it, hackers will break them.....i believe so....same story with the virus and apple in early 2000

DaBlackGod says:

Only thing the Germans know how to make is porn

Nooooooo, we make pretty good gummy bears (gold-bears) too.
But tell me more about the porn ;-))

Blau34 says:

Hehe "Haribo macht Kinder froh...."

maeh2k says:

Munich switching to Linux is really unrelated to recent privacy concerns. They just want to save millions of Euros by not paying for Windows and not paying for Office. So they are going Linux + OpenOffice.
 

wendoman says:

They want to save money on Windows by throwing millions and millions into local corrupted Linux vendor.
It's a famous story.

 

Rubios says:

Sounds like a win-win to me.

But the switch will probably cost more money than the licenses, atleast in the short run.

ymcpa says:

This is a chip , right? Why not just remove the chip from their hardware? The software won't be able to do anything if the chip isn't there.

Check out the stack on that officer though. That man has seen some stuff.

I trust it just fine until someone can prove there's an issue. And seriously, who takes security advice from Germany?!

tgr42 says:

TPM is a grave threat to security.  It denies the user control over their own machine, allowing an unprecedented degree of unauthorized remote access and intrusion that is nearly impossible to stop.  Just the way the NSA likes it.
http://en.wikipedia.org/wiki/Trusted_Platform_Module#Criticism

Except the criticism is untrue for one simple reason... you can ALWAYS turn it off in BIOS.

MeWhoElse says:

Yeah, this whole TPM thing is a joke. In Australia, I don't know a government agency or financial institute that doesn't use BitLocker these days. If you don't have a TPM chip you can use a USB stick to store the cypher. All it has is a random number generator and memory for a cipher/key storage. Plus Linux supports TPM for encryption too. Next we will hear how PKI certificates are bad and IT Departments should remove their certificate authorities...
 
How do you think encryption is done in mobile phones even... wow... just wow... are they confusing TPM v1.2 with Intel's vPro???

rojar19 says:

I feel sorry for German IT staff having to walk end users through Linux , which I'll bet none have ever used before.

Rubios says:

In 10 years the same could be said for Windows.
 
Habits can be easily changed.

realwarder says:

Linux has many more security issues than Windows, and the user experience is substandard.  There is a reason Windows still controls the desktop... more applications exist, it is cheaper to develop for and has better security.
 
A TPM module doesn't make your system less secure:
 
a) You can turn off Bitlocker
b) You can still use something like TrueCrypt
 
For most users, a TPM module will make your laptop more secure from random strangers walking off with your data, and so is a good thing.

Tirinti says:

Microsoft is spying a little, but Google is spying more. TMP is better then some opensource OS without any security guaranted. If something is for free it have to cost in some other way and espionage by author is one of the possibilities.

Rockartisten says:

Did someone delete my comment with MSs rebuttal? WTF!?

My apologize Rock, was a mistake. Feel free to repost. Sorry bud... :/

thecanuckguy says:

Why is it taking so long for Munich to switch OS's.  Ten years!!!  hmm something tells me that switching over is not saving them anything.  If all costs are factored.

Ticomfreak says:

Rofl. Windows is so far ahead of security than any other OS, period. It's just a bigger target.

Pato49 says:

The main issue is that windows is proprietary solution made in the US. If you can't access source code, you can't be sure that there isn't any backdoor for the NSA for instance, it has nothing to do with breaches in Linux or Windows. They are not talking about you guys using your computer, they are talking about secret services and critical infrastructures. It is more secure to master your software than trust a foreign company, possibly giving the access to governmental services. And that's the only way to ensure no backdoors actually.

Blau34 says:

You are right!

Blau34 says:

Is nice to read the comments. :)

Greetings from Germany

morete908 says:

Geschützt.  Geschützter.  G Data.

trincowski says:

I suspect the problem is exactly the opposite. With this technology, the German government and the NSA have more difficulty spying on the general population.

Blau34 says:

Nope. The Problem is not TPM. The Problem is the combination. And the warning is only for Government Institution.

Rockartisten says:

There's absolutely zero substance in this comment.

Blau34 says:

Read the Articel. Maybee then you understand why the start Post is nonsense. Again. The warning is only for goverment institutes. They have access to their own computers.

trincowski says:

There's also zero substance in you own comment. Ain't that a coincidence?

Rubios says:

Governments shouldn't be using closed source software in the first place.

wpguy says:

Yeah, but good luck with interoperability with what most of rest of the world is using, namely Office. Open-source Office alternatives can claim compatibility all they want, but fact is, that compatibility never has been and never will be 100% with Office.

Pato49 says:

I think national security is probably more a concern than bad presented text or spreadsheet documents... MS Office reads odt, ods and some others open source formats. And I'm pretty sure that most documents are for an internal use, so no compatibility issues in this case. So I definitely don't think that it is a bigger concern than national security!

InlineV says:

That is beyond the point of being overly simplified. Other than formatting support (which none of the Office alternatives do well), there is the matter of custom line of business macros, Vbscript and third party plug-ins for Office. Unless you've actually worked with office file compatibility, you simply couldn't know how unbelievably time consuming and complex it can be and that is moving from one version of Office to another much less moving to OpenOffice. Don't even get me started on all the Java dependencies. Even Oracle uses MS Office if that tells you anything.

Bratnikola says:

Linux is German, wright? ;-)

Long time ago in one of the forums conversations I stated that unix and its derivates especially Linux were used mostly as servers ( backends) and people argue with me that windows was mostly used on servers. So there you have it backends are running mostly Unix and derivates (Linux,fedora, red hat, etc)

InlineV says:

If your saying that most servers in IT organizations run Linux or a derivative, my experience would suggest otherwise. A Linux heavy shop may have as much as 10% Linux with the occasional Sun Solaris box mixed in for good measure. On average, I would say that they are no more than 5%. Windows Server dominates the data center for every one that I've pulled data from with the vast majority of those running SQL, IIS and file services. As for the topic at hand, if you are unable to trust TPM 2.0, you may as well say the same for all the US managed Trusted Root Certification Authorities. If TPM is a back door, Trusted Root CA's are the front door with the keys dangling in the lock. EVERYONE depends upon them to qualify trusted vs untrusted or unsigned code across numerous platforms. They are also the BASIS for whether an SSL site can be trusted and so forth. This sounds more like fear mongering on the part of the German authority in question with a little bit of buyer's remorse mixed in. They have been moving to open source for a long time now. Its clear that they really want to keep driving that regardless of whether the analysis is biased or not. Regardless of which is more or less secure, the fact remains that Linux will be more difficult and time consuming to manage and it will probably cost two times more than the equivalent Windows environment simply because of all the custom development. The end user experience will be sub par as well. That isn't a knock against Linux. Its just the nature of the beast. Microsoft has a keen understanding of what works for the enterprise. Frankly, its not fair to compare Linux to Windows when it comes to sustainability, management and return on investment. They are in a different class altogether. As for security, this seems to have alot more to do with whether you can trust third party security authorities. If that's the case, you might as well abandon all web services (because of the Root CA's) and TCP/IP could be an attack vector as well. Just imagine all the snooping they could do with IPv6 and the Internet of Everything! Taken to the extreme, you could just as easily accomplish the same using any platform with a dark net. That just wouldn't be very useful in this day and age.

maloo78 says:

Well, first we are not discussing personal average security on any given OS here, but government level secrets that require protecting. Hence, the people in charge tend to be extremely suspicious of any POSSIBLE vulnerability. They did not say that Windows 8 is unsafe. The statement was, that they do not like the limited user control (opt-in or opt-out) and they fear hackers piggy-backing on updates when they are pushed by the OS provider to the end-user, since this is a POSSIBLE backdoor.
Since I have no big culture on technology I don't want to lecture anyone, but I guess the more secrets you have to keep - and every government does - the more paranoid you will be. And then it's only right that the choose that system where they feel safest with. If this corresponds to the facts is another point entirely. But for sure the government has their own experts and advisors. I do not believe they are all talking bullshit simply because they mistrust Microsoft or Windows 8.
Last point: changing an operating system for a company or even a government is a huge work process and very cost intensive. That will have an impact on their decision as well.

I will insinuate it then.