Slashdot Mirror
Ask Slashdot: Best/Newest Hardware Without "Trusted Computing"?
An anonymous reader writes "What is the best/newest hardware without trusted computing (TC) / Trusted Platform Module(TPM)? I am currently running ancient 32-bit hardware and thinking about an upgrade to something x64 with USB3, SATA3 and >1 core on the CPU ... but don't want TC/TPM. I have no need to run anything like Blu Ray movie disks or Microsoft Windows that requires TC/TPM or the UEFI boot process. Is anybody else still trying to avoid TC/TPM? What have your experiences been? Any pointers?" Worth reading on this front, too: Richard Stallman on so-called Trusted Computing,.
Don't buy a TPM module? Just because a motherboard supports it doesn't mean you have to turn it on... or am I missing something?
I have no need to run anything like Blu Ray movie disks or Microsoft Windows that requires TC/TPM or the UEFI boot process.
Non sequitur much? What do Blu-Ray movies have to do with a TPM or UEFI secure boot? Also, Windows 8 can be run just fine without UEFI secure boot and doesn't need a TPM. UEFI secure boot is only needed to sell a certified product. Trying to drum up some FUD or what?
None of the consumer grade machines that you would buy or build for installing your own system enforce TPM or UEFI or any of that, so far it is all optional. So no need to currently avoid it, just don't use it.
My god man, how many Wal-Marts could you possibly need?
Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
I'd get in touch with ThinkPenguin. The company avoids trusted computing, non-free dependencies, and other digital restrictions that are bad for users. HP, Lenovo/IBM, Dell, Toshiba, Sony, and Apple are enemies of user freedom and should be avoided. They ship systems with digital restrictions and/or propitiatory pieces that prevent users from replacing things like the wifi in what is otherwise a standard slot. As a result if you get a system with a unsupported wifi card you can't replace it- or in other examples eventually move to a distribution that is 100% free like Trisquel or Parabola GNU/Linux.
ThinkPenguin's been working with the free software foundation on various issues like USB wireless cards and other projects. They helped bring a new chipset to the free software community (ar9271 and the older ar9170). They also don't ship parts/computers dependent on non-free drivers/firmware. The only real exception is the BIOS. That might change if the company gets enough support. Right now it is a non-trivial and significant task to fix. Particularly when every user wants a different configuration and demands the absolute latest in specs (like Haswell for example).
I don't see a problem with it, unless it can't be disabled. If you want all the freedoms, one of those freedoms is to enable or disable a TPM when you want. Maybe the only reason you want a TPM is so you can have one to test ways to circumvent it.
The story about the TPM was a load of horseshit FUD. TPMs are good if you want secure crypto key storage. If you don't, use a tinfoil hat.
"Secure boot" is the thing you want to avoid if you're suitably paranoid.
Just buy it with TPM and turn it off. It's just like 3D televisions--it's a permanent addition to the feature list, regardless of how many people actually want or use it. Yeah it sucks that you pay for stuff you don't use. I'm sure you'll survive the experience.
And if you're paranoid that turning it off won't REALLY turn it off, how do you know a motherboard without a TPM module doesn't REALLY have a super-secret disguised TPM module? If you're that paranoid, you'll have to build the motherboard yourself.
TPM is just a secure hardware keystore. It allows you to store secret keys in it. Don't want it? Don't activate it.
It is most commonly used in corporate machines, but can be used in Linux to support LUKS for full-disk encryption.
As usual, people fear what they don't understand. The trick to TPM is *WHO HAS THE KEYS*. If *I* have the keys, it is a great feature. TPM itself isn't inherently bad any more than any safe is inherently bad.
Stallman's piece focuses exclusively on TPM being implemented as a mandated piece where either the gov't or the media industry has the keys. Focusing on one theoretical use case and determining the entire system is evil is just plain wrong.
Learning HOW to think is more important than learning WHAT to think.
Yawn. Obsolescence built in, with each OSX "upgrade" Apple drop support for a whole generation of hardware. Quad core xeons are now in limbo. Yes, that standard Intel and PCI system is already at a dead end. When the next cat OS is released with a slightly changed icon set, the next top end systems will be excluded.
And as for imacs, zero upgradability other than RAM and high failure rates, also suffer from OSX obsolescence.
So, no, don't go down the Apple route unless you intend to replace the whole system to stay current, even if it doesn't need it.
TCM/TPM is often a business only feature. Consumer motherboards *frequently* don't support it. But full disk encryption programs can, and some do.
In other words, yes, you can totally opt out of buying a motherboard with TPM, including a top-of-the-line Haswell motherboard or an AMD chip, if that's your fancy. But if you buy one, you can also use it as a layer of security for a product like TrueCrypt (I do not know if TrueCrypt specifically supports it, that's just an example). And if you don't want it, you can turn it off.
Stallman is never "worth reading".
Buy an Apple computer? They haven't had TPMs of any sort for a long time, near as I can tell from the literature.
Yawn. Obsolescence built in, with each OSX "upgrade" Apple drop support for a whole generation of hardware. Quad core xeons are now in limbo. Yes, that standard Intel and PCI system is already at a dead end. When the next cat OS is released with a slightly changed icon set, the next top end systems will be excluded.
And as for imacs, zero upgradability other than RAM and high failure rates, also suffer from OSX obsolescence.
So, no, don't go down the Apple route unless you intend to replace the whole system to stay current, even if it doesn't need it.
My 2008 MacBook is still receiving upgrades, and will get Mavericks. Upgraded the ram to 8gb and I'm doing just fine.
SJWs are the new boogeyman. -Me
My Core-2 Duo Macbook is EOL at Snow Leopard, but I'm fine with that. In fact I'm still running Leopard on it, since I want to do a clean reinstall instead of an upgrade but haven't made time to do it. Besides, once I upgrade to snow leopard I won't be able to run the "AirPort Admin Utility for Graphite and Snow.app" to admin my original Airport base station.
I don't understand the whining about 'planned obsolescence'. My gear continues to run just like when I bought it. Besides, I consider many of the "enhancements" of recent OSX upgrades to be steps backward...
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
He did say, "If you're REALLY dead set on not even having it at all..." which would imply not simply turning it off, but it not being there. I think the statement is probably pretty accurate. If you don't mind turning it off, almost anything would work, if you want it not present... well, that's much harder.
...why not try these guys? https://www.system76.com/ Desktops and laptops available.
Anti Evil Maid is an implementation of a TPM-based static trusted boot with a primary goal to prevent Evil Maid attacks.
http://theinvisiblethings.blogspot.com/2011/09/anti-evil-maid.html
mean while, you can run Windows 8 on any Pentium 4.
No they don't. They started shipping with them in the mid 2000's, but never built a driver for one, and stopped including it in their hardware in 2009.
Thanks for playin', though.
TPM is normally not included in consumer motherboards. You have to purchase a separate TPModule that plugs into the motherboard's TPM header, and thats assuming the motherboard even has that header in the first place (read the specsheet). The Asus Z77 Deluxe in this machine for example - has no TPM header, and thus has no TPM. Newer versions of that motherboard firmware does include SecureBoot support - but older versions do not. However that must be manually activated, as it defaults to disabled (and consequently must be re-activated every time you reflash/update the firmware). In addition, custom keys are supported.
TPM requires (for Intel) support from the CPU - and some consumer level CPUs (notably the K series) lack that support. The extremely common 3570K for example - cannot use TPM. So in the above case, support is missing on the motherboard level, and on the CPU level. The newer Haswell variants (for both) still has the same inability.
Are you clueless? He's not "talking sense". The whole point here is that it's becoming increasingly difficult to not-buy a TPM. A lot of motherboards now have this shit welded in place, and its presence is often not listed when you're shopping to buy a computer.
An "Ask Slashdot" on how to avoid purchasing Trusted Computing is entirely appropriate. Hell, there should be a goddamn front page story in the New York Times telling people that many computers are being shipped with TPMs, and informing the general public where to shop if they don't want to fork over money for an anti-owner TMP chip pre-welded into whatever computer they buy.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
There was some interesting research presented at Blackhat that pointed out the problems of using the TPM as a root of trust in your platform: https://media.blackhat.com/us-13/US-13-Butterworth-BIOS-Security-Slides.pdf The essence of the research is that the TPM is not adequate as a root of trust in the platform because the code that drives the TPM/does the system measurements resides on a mutable EEPROM (the bios flash chip). Therefore any attacker that can gain access to the bios flash chip via an exploit (the researchers presented one) or via an unlocked flash chip (see Yuriy Bulygin's related work) can forge the TPM measurements that serve as the root of trust in your system. This is important because software like Bitlocker uses these TPM measurement values to determine whether or not to decrypt your harddrive...
mean while, you can run Windows 8 on any Pentium 4.
Meanwhile, if I write software targetted at MacOS X 10.7 or later, I can safely rely on the user having a 64 bit processor. No 32 bit versions needed anymore.
I am more worried about no new laptops with the standard 8-row keyboard which has Ins/Del/Home/End/PgUp/PgDn block.
All manufacturers that had those for business use - i.e. Dell, HP, Lenovo switched to the new consumer type layouts which are much slower for development work.
When this keyboard layout is ressurected, I am buying a new laptop. Until then, I stick to the fastest possible laptop with such keyboard. Which, at present is Dell E6410/E6510.
As far as UEFI and TPM - all of these can be disabled.
Also not only does Windows 8 not need secure boot, it doesn't even need UEFI. You can run it on a system with a BIOS, or on a UEFI system in BIOS emulation. My desktop is set up like that. My motherboard had some issues with UEFI boot as well as my video card, so BIOS mode it is. My laptop did not, so it is UEFI boot (it is faster) though without secure boot, it is just regular ass UEFI boot.
I swear these paranoid types need to spend a bit of time getting their learn on about new technologies before whining about them. You'd think if you cared so much about privacy and control you'd actually take the time to understand what thing do or do not affect it.
The amount of knee-jerk that goes on with this shit is pretty amazing.
That is the point all you TPM-ranters seem to be missing: It is 100% optional to use. In most cases I've seen, it is off by default because people just don't give a shit about it. On my system I go and have a look in device manager and, oh look, there's no "Security Devices" category, which is where the TPM appears if it is turned on. My board either shipped with it off, or without one (I haven't bothered to check in the BIOS) and it is a new Z77 board.
I could see the issue if this was being required, but it isn't. You can choose to turn it off (or more likely to just not turn it on). Then there's no issue.
It really seems like something that some people just want to be a big evil issue so they pretend it is. There's lots of screaming about it, that is backed up by a big lack of knowledge about it. Just chill out, don't use it, and go on.
Yawn. Obsolescence built in, with each OSX "upgrade" Apple drop support for a whole generation of hardware. Quad core xeons are now in limbo. Yes, that standard Intel and PCI system is already at a dead end. When the next cat OS is released with a slightly changed icon set, the next top end systems will be excluded.
Yawn indeed. If all that's changed is the icons, then why do you give a fuck? You obviously don't need it. Each new OS is designed around the new hardware available, with features that are only possible with that hardware. There has to be some level of obsolescence. I agree that it could be longer, e.g. supporting older graphics sets would be a start, but running older versions of the OS is not really a problem. Apple is pretty good about security updates, Java upgrades, etc. for older OSs.
And as for imacs, zero upgradability other than RAM and high failure rates, also suffer from OSX obsolescence.
So, no, don't go down the Apple route unless you intend to replace the whole system to stay current, even if it doesn't need it.
Double yawn. I guess if you can't think of a computer except in terms of a big tin box, then you are too closed minded to use anything else anyway. The iMac has a memory limit, like any motherboard. In general, you can upgrade the internal hard drive if you want to. However, the expansion is through the thunderbolt ports, which can support a dozen drives, scanners, printers, monitors. What more do you need? Of that's right, you can't design your tinker toy PC around the latest video card when you use an iMac. Seriously, I work at a major newspaper currently, and the large iMacs are used for everything. I guess if you don't care about true-color quality either you can get a $100 crap LCD and claim that's better too.
By the way, 10.8 runs on almost all systems that are 5 or 6 years old. If that's not a hardware cycle for your top machine, then what the fuck is? I guess not having the ability to run Windows on that 8088 caused a major hissy fit too.
The only thing worse than a Democrat is a Republican.
mean while, you can run Windows 8 on any Pentium 4.
Actually no you can't. Windows 8 unlike Windows 7 requires PAE, NX, and SSE2. NX was introduced into later Pentium 4 Prescott models, but not earlier Willamette and Northwood models. Win 8 Betas did run on these platforms, but RTM will refuse to install on them.
The reason is that Apple dropped devices that couldn't book a 64bit kernel. I suppose they could have released a new EFI, but they didn't.
SJWs are the new boogeyman. -Me
If your goal is to run Windows and/or Linux, you'd save a lot of money by not buying a Mac.
an HP with a Socket AM3+
No TPM module.
Mod me up/Mod me down: I wont frown as I've no crown
and this is one of the reasons I myself refuse to even consider TPM to be a viable product. I've had boards die suddenly in the past due to power surges/lightning strikes thus I don't want such a chip that can be fried locking me out of my data.
Mod me up/Mod me down: I wont frown as I've no crown
Help me judge which of you is right.
Alsee says I can't have the keys to the TPM which comes with the computer I buy. You disagree with Alsee.
No, he explicitly agreed with me on that point:
I said: "The TPM technical specification is quite explicit that the owner of the computer is FORBIDDEN to ever get his keys"
He said: "Forbidden from getting them out of the TPM"
That's agreement.
He merely followed up with a lame explanation "not forbidden from using them in ways that allow for guaranteeing security properties". The Trusted Computing definition of "security properties" explicitly includes security against the owner. "Guaranteeing security properties" means you are unable to read or alter your own files in Sealed Storage. An example "security property" would be that you cane read (and run) a Sealed-Storage program without securely verifying that the date it is within the approved software-rental period. Or think DRM music file, the "security property" is that the chip won't let you play the music except with the approved DRM-music player, and only if it decrements the number of plays remaining in the pay-per-play count.
It also means enforcing the security of Remote Attestation, which in plain English means a cryptopgraphically secure "spy report" sent out to other people over the internet telling them exactly what software you are running. For example if you had your master keys you could tell a website that you aren't running an ad-blocker when you actually are. That would violate the anti-owner "security properties".
That's why your forbidden to have your keys.... then other people could not Trust that your computer would enforce anti-owner "security properties" against you.
Standard line argument is that it's all A-ok because it's all "opt-in". If you don't "opt-in" all "security properties" are still enforced against you, enforced in the sense in that nothing works (you can't violate security if nothing works and you can't do anything). If you don't "opt-in" you're denied any ability to read or modify Trusted-secured Files, if you don't "opt-in" you're denied the ability to run Trusted-secured programs at all, if you don't "opt-in" you won't be able to access websites at all if they use the Trust system to ensure you don't copy pictures or to check if you're running an ad-blocker. And if you don't "opt-in", then in a few years you might be denied internet access. The Trusted Computing group has created something called Trusted Network Connect, and Microsoft has an equivalent version called Network Access Protection. That's a system where a network (or your ISP) can ask for a Trusted Health Check. A "Health Check" is that spy report I mentioned before, it reports the exact software running on your computer. The "Health Check": ensures that you're not infected by a virus(*), and ensures that you're running an approved operating system with ALL of the mandatory patches, and enforces that you're running any mandatory "security software" they want you to run, and that you're not running anything they don't want you to run. And if you don't "opt-in" then you can't pass the "Health Check", and your computer is "quarantined".... no network access access. Obviously no ISP could ever deploy something like that.... not unless most customers already had Trust Chips in their Computers.... oh yeah Microsoft is making Trust Chips mandatory in all new PC's 16 months from now. But even then it would obviously be several more years before most people had Trusted PC's, before ISPs could deploy that sort of "Trusted Health Check" to get internet access. But don't worry, this is all a good thing.... it's just a Health Check.... to ensure you're not infected and spreading viruses
As he explained, there's nothing evil about the system.... they
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Bullshit just buy AMD as I don't think they even have a board that HAS TPM and what they are doing to fix that will leave the choice IN YOUR HANDS because instead of baking it into the board they'll have the "business class" chips with an ARM DRM chip they bought from ARM Holdings to do TPM and crypto and...well pretty much anything security related you want. Don't want the feature? All you do is don't buy the business class chips, simple as that.
My system has a 6 core CPU, 8GB of RAM (expandable to 16GB but for what i do frankly that would be overkill) and chews through any job I throw at it and NO TPM,same with my netbook which has dual cores and 8GB, same for my two boys quad and hexa, my dad's quad desktop...you get the idea.
Hell you can go over to Tiger and buy a TPM free quad laptop for $420 flat, or if you don't mind taking the whole 40 minutes it takes to slap one together you can get a fully loaded hexacore desktop for $310 after rebate, so not only can you support not having a TPM but you can save a good chunk of change which can be used on an SSD or faster GPU, win/win.
ACs don't waste your time replying, your posts are never seen by me.
The motherboard in the subject came with a header for installation of a TPM, but no actual TPM, and supports both UEFI and BIOS. Leaving out the TPM seems like a cost saving move rather than a privacy one. [It has a LGA1155 socket, which is being phased out, but it's pretty fast with a Xeon E3-12??v2. ECC monitoring not supported on Linux, if you're interested. I wish there was a chip that was equally fast per core, but with more cores..]
I wouldn't worry about TPMs for privacy or security anyway. There may be a backdoor in TPM, but all it could do is to negate the security of the TPM. There may be other hardware backdoors, but there is currently no way to protect against that. If the CPU had a back door that was triggered by a 128 bit pattern, or a sequence of arithmetic or floating point instructions and operands, this could be delivered over the internet to any host as part of an image file over HTTP, regardless of firewalls, VPNs and virtual machines. [The only solution I can think of would be to implement an emulator which re-maps memory addresses randomly at the byte level, and fudges the operands in calculations (maybe adds a random number to the operands, then subtracts it afterwards)]
I would like the OP also try to stick with legacy BIOS, just for practical reasons.