Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Microsoft Government Build

Microsoft Claims Unauthorized Repairing of Its Devices Would Be a Security Risk (securepairs.org) 84

In comments submitted to America's Federal Trade Commission, Microsoft says repairing its devices could jeopardize protections from the Trusted Platform Module (TPM) security chip.

"Don't believe them," argues a group of information security professionals who support the right to repair. Slashdot reader chicksdaddy quotes their report: The statement was submitted ahead of Nixing the Fix, an FTC workshop on repair restrictions that is scheduled for mid-July... "The unauthorized repair and replacement of device components can result in the disabling of key hardware security features or can impede the update of firmware that is important to device security or system integrity," Microsoft wrote... "If the TPM or other hardware or software protections were compromised by a malicious or unqualified repair vendor, those security protections would be rendered ineffective and consumers' data and control of the device would be at risk. Moreover, a security breach of one device can potentially compromise the security of a platform or other devices connected to the network...."

As we know: Firms like Microsoft, Lexmark, LG, Samsung and others use arguments like this all the time and then not too subtly imply that their authorized repair professionals are more trustworthy and honest than independent competitors. But that's just hot air. They have no data to back up those assertions and there's no way that their repair technicians are more trustworthy than owners, themselves...

There's nothing inherent in repair or the things called for in right to repair laws like providing diagnostic software, diagnostic codes, schematics and replacement parts that puts the integrity of the TPM or the trust model it anchors at risk. Nor does the TPM require that the devices it secures remain pristine: using the same hardware and software configuration as when they were sold by the OEM. After all, TPMs are in Dell computers. Dell makes diagnostic software and diagnostic codes and schematics available for their hardware and I haven't heard Microsoft or anybody else suggest that a TPM on a repairable Dell laptop is any less secure than the TPM on an unrepairable Microsoft Surface.

This discussion has been archived. No new comments can be posted.

Microsoft Claims Unauthorized Repairing of Its Devices Would Be a Security Risk

Comments Filter:
  • Closing backdoors for the NSA poses a security risk for________ fill in the blank.

    • People who don't care about the rules won't stop compromising the security chip because of some law. People who repair tablets and phones cheaper than the big players are the target of this lobying.
      • > People who repair tablets and phones cheaper than the big players are the target of this lobying.

        That's true. A separate issue is "is Microsoft's statement also true?"

        As a security professional for twenty years, my experience in part confirms Microsoft's statement and in part refutes it. My conclusion is based on something else, though.

        It is definitely easier for me to compromise a system if I have complete documentation and tooling for it. On this point, Microsoft is right. Security by obscurity

  • Ha Ha hA! (Score:4, Insightful)

    by Anonymous Coward on Saturday June 29, 2019 @02:50PM (#58846802)

    Let me laugh harder.

    Microsoft, and Security?

    The one and same that sells software WITHOUT WARRANTY, or WITHOUT FITNESS FOR A PARTICULAR PURPOSE and contains KNOWN DEFECTS?

    Sorry, I need my data treated confidentially. Microsoft doesn't have the experience in this at all. If it can't be repaired, it will not be purchased. Thats why I build it myself.

    Tablets are good for media consumtion, but I don't store any confidential data on them.

    Desktops are all backed up to a Linux Machine, that has no outside network access.

    Linux for the Win, Microsoft for the sheep.

  • by oldgraybeard ( 2939809 ) on Saturday June 29, 2019 @02:58PM (#58846840)
    repairing any Microsoft device and putting it back in to service IS a security risk.

    Just my 2 cents ;)
    • repairing any Microsoft device and putting it back in to service IS a security risk. Just my 2 cents ;)

      Actually, considering the sheer volume of attacks on Windows systems, Microsoft does a pretty amazing job at keeping their software secure. If you install Malwarebytes on top of Windows Defender you are pretty safe these days

      • Re: (Score:1, Insightful)

        by Anonymous Coward

        "Microsoft does a pretty amazing job"

        You must be new here. Other people will remember countless Microsoft atrocities in security, customer service, and propaganda. This is NOT the company I get my security tips from.

        I won't dwell on it. I do have a bridge to sell you...

    • by AmiMoJo ( 196126 )

      Let's think about the actual threat model here. It's basically a variation on the Evil Maid attack, where someone with physical access to your device while you are not present is able to tamper with it, installing a backdoor or malware.

      One well known example of this is the NSA's TAO operation, where they intercepted Cisco hardware being delivered to customers, installed malware and sent it on to the victim.

      In theory any repair shop may do that too. In practice, it seems like an attacker like the NSA could i

      • by Anonymous Coward

        News Flash: Unless you witnessed the complete construction of the device, verifying each part, and never leave it out of your possession, you're vulnerable to the Evil Maid Attack. Having said that, perhaps you should worry more about Best Buy and the FBI. Really, we live in "interesting times" where most of the more paranoid of ideas has been confirmed as real when it comes to the NSA/FBI/CIA. The safest approach really is to avoid Microsoft entirely.

      • "TPM chips that they can covertly install on your motherboard"

        I'm pretty picky about who gets touch my motherboard

        Just my 2 cents ;)
  • by Anonymous Coward

    I would've expected that kind of crap from Apple, come on Microsoft! The few devices you have on the market are nothing in the grand scheme of things, there's literally no reason to prevent people from repairing their devices other than pure corporate greed.

    • The 'Surface' line is pretty much Microsoft's love letter to Apple's principles, to the degree they are capable of emulating them, so it's to be expected.
  • Of course! (Score:4, Funny)

    by burtosis ( 1124179 ) on Saturday June 29, 2019 @03:11PM (#58846902)
    Of course, everyone knows unauthorized reparing of its devices is a security risk... Every time it automatically uploads a patch without the administrators permission it's a huge risk. I wish they would fix that.
  • Jealousy (Score:5, Interesting)

    by duke_cheetah2003 ( 862933 ) on Saturday June 29, 2019 @03:17PM (#58846916) Homepage

    Microsoft is just jealous of Apple's anti-repair stance. They just gotta one-up their biggest rival.

    And we all lose as a result. Repair is good. Keeping computer's going for as long as possible is good. Sustainability good.

    I dunno if anyone from Microsoft reads our garbage, but... don't be like Apple. Most people dislike Apple for their anti-repair shenanigans. They are definitely not a company to be emulating or striving to be like.

    Stick to making operating systems and office suites. You're good at that. You suck at hardware. You always have.

  • Nonsense (Score:2, Insightful)

    by Anonymous Coward

    If physical security is required for the security of the TPM then it is a failed design isn't it?

    • These statements are for the dumb, not those that think. Unfortunately, there are more of the dumb than otherwise....
  • Those in control fear having their control removed.

  • Perhaps I should let them help to "fix" my Windows PC? After all, nobody else should be trusted. /s

  • ... declare a National Emergency or a National Security issue and circumvent common fucking sense.

  • ... on my goddam Windows machines, including servers, going back to XP are Security Updates. The list of these is too fucking long to print.

    And they will keep on coming.

    MICROSOFT is a goddam security risk.

    • Almost ALL of Microsoft updates on my goddam Windows machines, including servers, going back to XP are Security Updates. The list of these is too fucking long to print.

      Literally. I've tried posting long lists of proper names. Slashdot filtering prevents it.

  • unsupervised *use* of their products is a security risk. The only safe way to handle any of their products is to never distribute them.

    The question is, what is best for their customers? Accepting some risk to get some freedom, or accepting somewhat less risk and giving over control of your purchases to the vendor?

  • FTC I'm sure is under orders to can the right-to-repair stuff. But ... if MS and Apple make a Big Deal, will FTC go ahead and follow those orders, or the alternative orders that anything that screws those left-wing commie tech companies is good?

    Anyway, it's a stupid comment. After all, Windows is installed on all sorts of computers, ranging from locked-down corporate stuff to glued-together Surface tablets to Dell laptops/desktops to cheap Chinese 2-in-1s to Intel NUCs to my ancient Core2 desktop home-assem

    • The header's where the TPM module gets installed. The TPM you normally see/use is part of Intel CPUs so there's no need for an external TPM, the header's there in case you're using a non-Intel CPU or need a TPM not tied to the CPU.

  • Is TPS ... (Score:5, Insightful)

    by PPH ( 736903 ) on Saturday June 29, 2019 @07:02PM (#58847734)

    ... all about preventing Evil Software from infecting your machine? Because if it is, it's not working. If that was the intent, it has failed miserably. Windows machines are still getting pwned by idiot users opening infected documents. Leading, in some cases to ransomware taking down entire city IT departments. Or was it intended to sniff out attempts to copy Microsoft products (illegally) onto multiple platforms without licenses? Because in this case, it seems to work quite well. Never mind the poor fool who only tried to swap out a bad hard drive. The change in hardware finger print is effectively detected and (as a false positive) the Bad Pirate finger is pointed at them.

    This isn't about YOUR security. Its about the security of Microsoft's revenue stream.

  • No, it's running Windows on them.

  • ...the good old days when Bill Gates was running the show. Home computing was fun in the 90s.

"The pathology is to want control, not that you ever get it, because of course you never do." -- Gregory Bateson

Working...