Slashdot Mirror
Ask Slashdot: Best/Newest Hardware Without "Trusted Computing"?
An anonymous reader writes "What is the best/newest hardware without trusted computing (TC) / Trusted Platform Module(TPM)? I am currently running ancient 32-bit hardware and thinking about an upgrade to something x64 with USB3, SATA3 and >1 core on the CPU ... but don't want TC/TPM. I have no need to run anything like Blu Ray movie disks or Microsoft Windows that requires TC/TPM or the UEFI boot process. Is anybody else still trying to avoid TC/TPM? What have your experiences been? Any pointers?" Worth reading on this front, too: Richard Stallman on so-called Trusted Computing,.
Don't buy a TPM module? Just because a motherboard supports it doesn't mean you have to turn it on... or am I missing something?
I have no need to run anything like Blu Ray movie disks or Microsoft Windows that requires TC/TPM or the UEFI boot process.
Non sequitur much? What do Blu-Ray movies have to do with a TPM or UEFI secure boot? Also, Windows 8 can be run just fine without UEFI secure boot and doesn't need a TPM. UEFI secure boot is only needed to sell a certified product. Trying to drum up some FUD or what?
My god man, how many Wal-Marts could you possibly need?
Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
I'd get in touch with ThinkPenguin. The company avoids trusted computing, non-free dependencies, and other digital restrictions that are bad for users. HP, Lenovo/IBM, Dell, Toshiba, Sony, and Apple are enemies of user freedom and should be avoided. They ship systems with digital restrictions and/or propitiatory pieces that prevent users from replacing things like the wifi in what is otherwise a standard slot. As a result if you get a system with a unsupported wifi card you can't replace it- or in other examples eventually move to a distribution that is 100% free like Trisquel or Parabola GNU/Linux.
ThinkPenguin's been working with the free software foundation on various issues like USB wireless cards and other projects. They helped bring a new chipset to the free software community (ar9271 and the older ar9170). They also don't ship parts/computers dependent on non-free drivers/firmware. The only real exception is the BIOS. That might change if the company gets enough support. Right now it is a non-trivial and significant task to fix. Particularly when every user wants a different configuration and demands the absolute latest in specs (like Haswell for example).
Just buy it with TPM and turn it off. It's just like 3D televisions--it's a permanent addition to the feature list, regardless of how many people actually want or use it. Yeah it sucks that you pay for stuff you don't use. I'm sure you'll survive the experience.
And if you're paranoid that turning it off won't REALLY turn it off, how do you know a motherboard without a TPM module doesn't REALLY have a super-secret disguised TPM module? If you're that paranoid, you'll have to build the motherboard yourself.
TPM is just a secure hardware keystore. It allows you to store secret keys in it. Don't want it? Don't activate it.
It is most commonly used in corporate machines, but can be used in Linux to support LUKS for full-disk encryption.
As usual, people fear what they don't understand. The trick to TPM is *WHO HAS THE KEYS*. If *I* have the keys, it is a great feature. TPM itself isn't inherently bad any more than any safe is inherently bad.
Stallman's piece focuses exclusively on TPM being implemented as a mandated piece where either the gov't or the media industry has the keys. Focusing on one theoretical use case and determining the entire system is evil is just plain wrong.
Learning HOW to think is more important than learning WHAT to think.
Stallman's piece focuses exclusively on TPM being implemented as a mandated piece where either the gov't or the media industry has the keys. Focusing on one theoretical use case and determining the entire system is evil is just plain wrong.
Both scenarios are more or less "theoretical", but the most likely to end up widely implemented is exactly the one RMS focuses on. That is why he focuses on it. It's also the reason why the entire thing came into being. The other stuff is a nicety for the geeks, nothing more. That nicety doesn't make the purpose behind it less wrong or evil.
"Stallman's piece focuses exclusively on TPM being implemented as a mandated piece where either the gov't or the media industry has the keys. "
Not quite, the same way F2P games and always online DRM made it so far. Most people are tech illiterate, all that's needed to get TPM out there is a dumb public and some widget they will always buy mindlessly like phones. I expect phones and/or some aspect of videogames to be where TPM is first implemented. The upper classes in america are obsessed with manipulating the public mind for their own corporate profits. I suspect there are people working right this moment to find a way to push more hardware DRM and legal bullshit. I imagine we'll first see this from the game industry and then it will seep into other industries.
The idea that Stallman is 'alarmist' given how dystopian, authoritarian and anti-freedom american copyright and patent law has become and its negative effect on people owning the digital products they buy is already cause for alarm. The fact that digital goods are effectively infininite and people are talking moronically about selling 'used digital games' (bizarre aspect of american capitalist thinking in the non scarce digital world).
See this article, game developers and publisher are seriously totally in bizarro world trying to get rid of the used game market.
http://www.gamasutra.com/blogs/DanRogers/20130806/197733/THE_FUTURE_OF_RESELLING_DIGITAL_VIDEO_GAMES.php
TPM is normally not included in consumer motherboards. You have to purchase a separate TPModule that plugs into the motherboard's TPM header, and thats assuming the motherboard even has that header in the first place (read the specsheet). The Asus Z77 Deluxe in this machine for example - has no TPM header, and thus has no TPM. Newer versions of that motherboard firmware does include SecureBoot support - but older versions do not. However that must be manually activated, as it defaults to disabled (and consequently must be re-activated every time you reflash/update the firmware). In addition, custom keys are supported.
TPM requires (for Intel) support from the CPU - and some consumer level CPUs (notably the K series) lack that support. The extremely common 3570K for example - cannot use TPM. So in the above case, support is missing on the motherboard level, and on the CPU level. The newer Haswell variants (for both) still has the same inability.
Are you clueless? He's not "talking sense". The whole point here is that it's becoming increasingly difficult to not-buy a TPM. A lot of motherboards now have this shit welded in place, and its presence is often not listed when you're shopping to buy a computer.
An "Ask Slashdot" on how to avoid purchasing Trusted Computing is entirely appropriate. Hell, there should be a goddamn front page story in the New York Times telling people that many computers are being shipped with TPMs, and informing the general public where to shop if they don't want to fork over money for an anti-owner TMP chip pre-welded into whatever computer they buy.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
As usual, people fear what they don't understand.
I've studied the entire TPM technical specification. I understand it in minute detail.
The trick to TPM is *WHO HAS THE KEYS*. If *I* have the keys, it is a great feature.
EXACTLY!
And the entire point here is that you DON'T have the keys. The TPM technical specification is quite explicit that the owner of the computer is FORBIDDEN to ever get his keys. Specifically this means the PrivEK (Private Endorsement Key) and the SRK (StorageRootKey). The owner is forbidden to have his StorageRootKey, because the StorageRootKey is explicitly designed to encrypt data on the harddrive such that the owner of the computer cannot read or alter it. The owner is forbidden to have his Private Endorsement Key because this key is used to secure the Remote Attestation process against the owner. Remote Attestation is where the chip securely (secure against the owner) securely tracks your hardware and the software you run, and sends that spy-report out to other computers over the internet. If the owner had his Private Endorsement key, these Attestation spy-reports wouldn't be secure against the owner.
TPM is just a secure hardware keystore.
It's more than that, but an important part of it is that it's a "secure hardware keystore". Specifically, it is designed to be SECURE AGAINST THE OWNER. The Trusted Platform Module Technical Specification explicitly refers to the owner of the chip as an attack-threat which the chip MUST be secure against.
Stallman's piece focuses exclusively on TPM being implemented as a mandated piece where either the gov't or the media industry has the keys.
The "Master Keys" are held by the Trusted Computing Group. The crucial individual keys are locked inside the Trusted Computing chips, secured against the owners.
Focusing on one theoretical use case and determining the entire system is evil is just plain wrong.
Lets make it really simple. The moment they give owners some option to read their keys out of the chip, or give owners the option to buy chips that come with a printed copy of they keys, then I will jump up front and center proclaiming that Trusted Computing is wonderful and harmless... I'll lead the charge smacking down anyone claiming it's evil.
However the Trusted Computing Group has explicitly refused all demands for any sort of "Owner Override" and explicitly forbid owners to ever get a hold of their own keys. That is because the entire point of Trusted Computing is to secure computers AGAINST their owners. The entire point of Trusted Computing is that "Owners can't be trusted", so they want to be able to "Trust" computers to be secure against the owners.
The moment they allow owners to get their keys then I agree that the owner is in control.
Note that the standard argument against allowing owners to get their keys is that a virus or malware or something might get a hold of the key if it's accessible from the chip, or if it's on the harddrive anywhere. Which is a patently bullshit argument for refusing to let me buy a chip with a PRINTED COPY of my master keys. Malicious software can't read paper. End of argument. Then I can toss the printed keys in my safety deposit box at my local bank, and you can't make any believable argument that it's somehow "for my security" that you're refusing to let me get my own goddamn keys.
A simple rule for everyone:
Just say "I want my keys", NO KEYS, NO SALE
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
mean while, you can run Windows 8 on any Pentium 4.
Actually no you can't. Windows 8 unlike Windows 7 requires PAE, NX, and SSE2. NX was introduced into later Pentium 4 Prescott models, but not earlier Willamette and Northwood models. Win 8 Betas did run on these platforms, but RTM will refuse to install on them.
actually Vista allowed it to be dis/enabled in the device manager - making it immediately available w/o a reboot. The same is true of Win7/8 and later - just like wifi cards can be dis/enabled from the device manager w/o rebooting the system.
Since this is possilbe, it means it's possible to do so w/o user interaction. Making a TPM module a dangerous thing to have on your system.
Mod me up/Mod me down: I wont frown as I've no crown
Also not only does Windows 8 not need secure boot, it doesn't even need UEFI...
I swear these paranoid types need to spend a bit of time getting their learn on about new technologies before whining about them....
The amount of knee-jerk that goes on with this shit is pretty amazing.
Quoting fucking MICROSOFT.COM News Center:
"Trustworthy hardware. The Trusted Platform Module is a hardware security device or chip that s a great tool for the enterprise, but until now has been an optional piece of technology for consumer devices. TPM provides a number of crypto functions, including securely storing keys and performing cryptographic measurements. We re working to require TPM 2.0 on all devices by January 2015"
You're seriously going to call me "paranoid" when Microsoft has an official public statement that they plan to make this Trusted Computing shit mandatory starting less than a year and a half from now?
Over a half-billion computers have already been shipped with this shit welded to the motherboard. THAT'S why the Ask Slashdot story is asking how to avoid this shit. A lot of computers already come with this shit on the motherboard, and not all of the sales materials list that it's in there.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Bullshit just buy AMD as I don't think they even have a board that HAS TPM and what they are doing to fix that will leave the choice IN YOUR HANDS because instead of baking it into the board they'll have the "business class" chips with an ARM DRM chip they bought from ARM Holdings to do TPM and crypto and...well pretty much anything security related you want. Don't want the feature? All you do is don't buy the business class chips, simple as that.
My system has a 6 core CPU, 8GB of RAM (expandable to 16GB but for what i do frankly that would be overkill) and chews through any job I throw at it and NO TPM,same with my netbook which has dual cores and 8GB, same for my two boys quad and hexa, my dad's quad desktop...you get the idea.
Hell you can go over to Tiger and buy a TPM free quad laptop for $420 flat, or if you don't mind taking the whole 40 minutes it takes to slap one together you can get a fully loaded hexacore desktop for $310 after rebate, so not only can you support not having a TPM but you can save a good chunk of change which can be used on an SSD or faster GPU, win/win.
ACs don't waste your time replying, your posts are never seen by me.