TPM2 is pretty good, actually

Did IQfy lie to me? I have both encrypted LUKS disks, got tired of inputting the passphrases so I just set up TPM2 and Secure Boot, now everything just werks with almost no security problems.

A Conspiracy Theorist Is Talking Shirt $21.68

Homeless People Are Sexy Shirt $21.68

A Conspiracy Theorist Is Talking Shirt $21.68

  1. 3 weeks ago
    Anonymous
  2. 3 weeks ago
    Anonymous

    Except, that the TPM chip can be read out and your encryption is as worthless as the chip itself. The best thing you can do when using encryption is using your own encryption keys stored inside your fricking head.

    • 3 weeks ago
      Anonymous

      Lmao. I guarantee you that TPM has a backdoor and those keys can be dumped. The only way to be sure your disks are safe is if those keys are only stored unencrypted in your head.

      luks dumps keys to ram anyway. so you knowing the keys is pointless once you decrypt it

      • 3 weeks ago
        Anonymous

        Doesn't matter if the drive isn't mounted or the machine is turned off.

    • 3 weeks ago
      Anonymous

      >Except, that the TPM chip can be read out and your encryption is as worthless as the chip itself.
      Delusion. Stack smashing was only able to read the bitlocker key so easily because the spi pads were exposed AND there was no pin on the laptop in question. Your average jamal that steals laptops from random cars cant even do that. If you care about NSA/Mossad/whatever, get yourself a decent device with heads and qubes.

    • 3 weeks ago
      Anonymous

      What TPM chip? It's all built into the CPU these days.

  3. 3 weeks ago
    Anonymous

    Lmao. I guarantee you that TPM has a backdoor and those keys can be dumped. The only way to be sure your disks are safe is if those keys are only stored unencrypted in your head.

    • 3 weeks ago
      Anonymous

      >TPM has a backdoor and those keys can be dumped.
      Source?

      • 3 weeks ago
        Anonymous

        I made it the frick up.
        More seriously, it's possible for the TPM to have bugs that would allow the key to be dumped. Only storing it in your head prevents this entirely.

        • 3 weeks ago
          Anonymous

          What about coercion and torture, you moron?

          • 3 weeks ago
            Anonymous
          • 3 weeks ago
            Anonymous

            Imagine TPM works. You are now tortured and coerced out of your login password instead of your LUKS password.

            Imagine TPM doesn't work. You are under the power of someone who has no qualms about torture and coercion... and they have your data too.

            This is not an improvement.

      • 3 weeks ago
        Anonymous

        You basically need to pull apart the computer, download a pi-zero, solider the TPM and mobo through the pi-zero, mem dump and THEN deconstruct it with the unlock keys. The method demo'd by some guys were already patched out as well from the exploit that got the mem dump.

        There are probably back doors but thinking anyone who is probably looking to steal your laptop will bother with 1% of that effort is just fricking dumb.

        • 3 weeks ago
          Anonymous

          >download a pi-zero custom build firmware
          Still need a Pi-0 to do anything with tpm and even then, it's not worth it outside of full on fed level diagnosis.

        • 3 weeks ago
          Anonymous

          it's easier to just beat you up until you tell the keys
          including burning you with soldering iron and not the tpm module

        • 3 weeks ago
          Anonymous

          TPM sniffing exploit is essentially OEM negligence. A proper TPM implementation can't be sniffed.

    • 3 weeks ago
      Anonymous

      Suppose it does have a back door, and they use it to get your data. Will they use your data and thus reveal that they have a back door to the rest of the world?

      • 3 weeks ago
        Anonymous

        They need not disclose how they got the data
        Honestly just assume there is a backdoor unless proven otherwise, and learn about threat modeling: remember, you can be tortured

        • 3 weeks ago
          Anonymous

          >They need not disclose how they got the data
          They do, actually, or the judge will throw out that evidence.

          • 3 weeks ago
            Anonymous

            If you're a big enough target, you'll never live long enough to see a judge anyway.

          • 3 weeks ago
            Anonymous

            Then you'll probably be tortured or taken out even if they can't access it.

  4. 3 weeks ago
    Anonymous

    TPM is literally fricking useless when both AMD and intel have backdoors for all intelligence agency's to use if the cpu is compromised the entire system is compromised you can thank Mossad for that

    • 3 weeks ago
      Anonymous

      >when both AMD and intel have backdoors for all intelligence agency's to use
      Source?

      • 3 weeks ago
        Anonymous

        Intel Management Engine and AMD equivalent, on-die sub-procesors with full, transparent access to hardware with it's own TCP/IP stack and MAC address. It runs in -3 kernel space, below hardware management, i.e. pci bus, branch prediction, etc. below actual cpu and memory. When the NSA contracted Intel systems they mandated that the ME is disabled, citing security risk. Thanks to Bush, we have the patriot act that makes it illegal to not backdoor your tech if the feds tell you to and illegal to admit that you were even approached about it. iPhones were also backdoored on processor level letting anyone who knows 3 simple 0day exploits read/write any memory at will and remotely. All hardware past 9/11 is backdored.

        • 3 weeks ago
          Anonymous

          If these are backdoors you might as well use them since they could be keyloggers and store your passphrase anyways.

  5. 3 weeks ago
    Anonymous

    >now everything just werks with almost no security

    The "trust" in "trusted computing" does not refer to the user's trust. It means someone else owns your PC.

  6. 3 weeks ago
    Anonymous

    What's the point of encryption at this point??

  7. 3 weeks ago
    Anonymous

    Just make sure you use pin entry with your TPM as well or a trivial cia Black person attack will leak your key.

  8. 3 weeks ago
    Anonymous

    >Everyone talking about a backdoor when the TPM literally just unencrypts the disk on boot.
    OP, what you've done here is go from 2 factor security (something-you-have: the computer; something-you-know: the password) to single-factor (something-you-have: the computer)

    TPM protects against cloning or theft of the disk only. Things that happen in big enterprise environments; where stealing the actual machine (TPM) would be impractical. In this case, removing the password is actually beneficial because the attacker can't extort an employee for the password.
    But if someone steals your laptop. They have the TPM, and the drive unlocks. Simple as.

    • 3 weeks ago
      Anonymous

      The drive unlocks, yes, but only if:
      >the bootloader is signed
      >it's the same device
      Even if they stole my drives, they can't do anything without the key or the TPM on my computer. It just drops you into the login manager, you still need to log in to access anything.

      • 3 weeks ago
        Anonymous

        Right. It IS the same device. The bootloader IS signed.
        They have the TPM on your computer because they stole your whole computer.
        It unlocks.

        • 3 weeks ago
          Anonymous

          Yes, but they can't do anything with it unless they knew the password of a user. They could of course try to dump the key from the RAM but it'd take quite a lot of effort.

          • 3 weeks ago
            Anonymous

            The drive will already be unencrypted by the time you get to the login screen. It's over.

          • 3 weeks ago
            Anonymous

            But how can the contents of it be accessed without a system password?

          • 3 weeks ago
            Anonymous

            Getting past lock screens is trivial for anyone vaguely educated in digital forensics.

          • 3 weeks ago
            Anonymous

            Couldn't the same be said about a PIN for the TPM or just a passphrase?
            I think Android works like I set up my laptop now.

          • 3 weeks ago
            Anonymous

            >Couldn't the same be said about a PIN for the TPM or just a passphrase?
            No, because extracting an encryption key using a cold boot attack requires pretty advanced forensics, and even then is very delicate and risky to perform. Now that I think about it, Microsoft may have even patched that particular vulnerability.

          • 3 weeks ago
            Anonymous

            Could you explain how they would get the user password through the login manager? Or even a TTY?

          • 3 weeks ago
            Anonymous

            if they can access grub on the way in they can get root shell pretty easy by changing the boot parameters
            ask yourself this, which one of these systems is more secure:
            - encryption, development is entirely centred around protection of data, lots of effort spent on encryption algorithm, lots of scrutiny as it is used every
            - login manager, devs are usually not security focused as they delegate this task to encryption (lightdm for example), not as much scrutiny as they never make claims of high security
            all lightdm does to block access to your x session (on another tty) is put a fullscreen app over it and block keyboard input
            just pick one secure password for your encryption, use plymouth if prettiness is important to you, and set up autologin with an agetty service so you don't have to log in twice

    • 3 weeks ago
      Anonymous

      >But if someone steals your laptop. They have the TPM, and the drive unlocks.
      That's why you use a pin, moron. It doesn't even have to be complex, because brute force attempts scare the TPM into a perma-lockout.

      • 3 weeks ago
        Anonymous

        That is exactly the point I'm making.
        OP is talking specifically about forgoing a password/pin and using TPM only.

  9. 3 weeks ago
    Anonymous

    >now everything just werks with almost no security problems.
    Fair enough. No security, no security problems.

  10. 3 weeks ago
    Anonymous

    If you want CCP level of surveillance and control then i'd gladly oblige by executing you as an example.
    I fricking mean it.

    So it's Fritz/Palladium all over again but this time withe fricking homosexuals like op to defend it?

    https://www.salon.com/2002/07/11/palladium/

Your email address will not be published. Required fields are marked *