With the roll out of Windows 11, the term TPM 2.0 has been introduced to the general public. What is it exactly? Fundamentally, it is a platform integrity and security device. Beyond that, it depends on who you ask.
For the basics, the TPM (Trusted Platform Module) development has been governed by the TCG (Trusted Computing Group) which is a non-profit (quite lucrative Think Tank) offspring (spawn) of the IT industry (Big Tech). The TCG board is made up of technology manufacturer executives and sadly, has no one from the EFF (Electronic Frontiers Foundation) or any similar consumer advocacy organization, which means caveat emptor as usual. There is a good amount of info to cover about what that means, but for today we will just be discussing what, in a perfect world, the TPM 2.0 was intended to be.
Why was the TPM created?
From Wikipedia– “The primary scope of TPM is to ensure the integrity of a platform. In this context, “integrity” means “behave as intended”, and a “platform” is any computer device regardless of its operating system. This is to ensure that the boot process starts from a trusted combination of hardware and software, and continues until the operating system has fully booted and applications are running.
When TPM is used, the firmware and the operating system are responsible for ensuring integrity.”
Functions-
Encryption– random number generator plus cryptographic capabilities.
Remote attestation*– Device fingerprinting and recognition.
Digital Rights Management– Ensures all media, software, etc. are legitimate and of course, paid for.
What it does not do- Protect your system or data. Although this is being marketed as a consumer protection upgrade, it is merely a corporate profit upgrade. Which is not inherently a bad thing, but they should be honest about it. In the next few posts, we’ll be going over the different hardware and software devices which can be used as TPM 2.0 and in a later installment we’ll go over all the myriad ways one can install, bypass or simply fake this level of compliance. Guess which methods are the cheapest and easiest..
Coming Next Week- Why did Microsoft do an about face on the minimum requirements for Win 11? I have a theory…
*Yes, a topical search of this subject will produce an overwhelming number of papers and articles lauding the privacy and security of the TPM 2.0 and the inherent goodness of remote attestation, but please realize that these were written by corporations, for the benefit of those corporations.
Author’s vaguely connected tangent- And this would be an opportune moment to mention that “By Corporations, for Corporations” is a caveat that must be considered when reading, viewing, or downloading any data nowadays. We are rarely presented with any information that is not in the form of an advertisement. Newspapers are owned by the very entities they used to drag across their pages. Medical studies are announced by press release, not peer review. As Howard Zinn said, “The news is what they hide from us. All we have ever seen was advertising.”
So, always ask this question when experiencing prepared information- Is it BCFC? (Yes, it sounds like a county jail, which is fitting because it has about as much to offer the average human in the way of personal benefit and assistance as a county jail.)
Back to the subject- When one does a less cursory look into the uses of remote attestation, one will find truly dystopian headlines such as-
- Remote Attestation on Behavioral Traces for Crowd Quality Control Based on Trusted Platform Module
- Remote Attestation: Building trust in things you can’t see
Sounds legit, right? To sum it up, although there are dozens of RA protocols made by different companies, they all fundamentally function by sending some or all of the exact and most likely, unique, hardware and/or software configuration running on your system and can therefor be used to track you anywhere you go, regardless of VPN, Tor, or any other identity obfuscation techniques you may be using. With this technology, you are literally starting every internet action with an SSL Handshake which proclaims, accurately, exactly what you running. This can easily be tracked as a single entity with database of past actions. If that database is connected to any other entities’ attestation database, (Note that there are only a few mega corporations owning everything nowadays) it quickly becomes the complete digital representation of you. Translates to- knowing exactly who you are and what you are doing at any time online and will be used to predict and manipulate your actions in the future.
What can be done about this? Um… Well, I’m still working on that. Please comment with any ideas you may have. This discussion is definitely open and your input will help.
Holy crap. I’ve always thought of TPM as a handy cache for encryption keys, as in encrypted hard drives. Clearly I have not been sufficiently paranoid about the tracking potential of TPM.
Yup, now we’ve gotta figure out ways to spoof, disable or deceive it. Which is a nasty game to have to play, when you just came for a little Elder Scrolls.
I’m working on the spoof – disable – deceive methods at the moment and will have an effective list of ways to avoid these latest encroachments, posted here on Friday.