[Arm-netbook] TPM backdoor

Derek dlahouss at mtu.edu
Wed Sep 4 14:52:07 BST 2013

 <freebirds <at> fastmail.fm> writes:
> Regardless whether you believe TPM is a backdoor and Microsoft required
> manufacturers to install hidden bluetooth, both TPM and bluetooth have
> an extremely visible unique identifier (UUID). Their UUID can be
> geolocated. TPM and hidden bluetooth cannot be disabled. Now is the time
> to generate publicity for open source hardware and request donations.
> There are more articles on TPM's backdoor than I listed two days ago and
> more forum posts too. 

A TPM chip does not have a UUID.  It does have a private key, which can be
re-generated at any time.  However, the public side of that key isn't
typically sent anywhere, and is only used within the computer.  Disabling
the TPM chip is BIOS dependent.  On my Dell E6220 (and all other Dell
Latitude and Precisions that I've seen), there is a clear BIOS option to
disable or clear the TPM.

> On Mon, Sep 2, 2013, at 04:14 PM, Derek wrote:
>> "BUT, if you... if I own the keys to my TPM (which is to say  I generate
>> them and never allow them to leak), then I control my
>> computer. " 
> The articles say the opposite. That Windows 8 ships with TPM
> 2.0 preactivated and cannot be disabled. That the Chinese manufacturers
> of TPM, Microsoft and trusted third parties have the initial key. Any
> key an user can generate is subordinate and ineffective against them. 

This is, again, a fundamental misunderstanding of the technology.  What
you're describing involves the TPM chip, yes.  Here's the real deal:
- Computer boots, loading firmware flashed into the motherboard.  Cryptohash
sent to TPM
- Computer verifies modules from read-write media based on root keys stored
in a protected area (generally, Microsoft signing key).  Loads modules that
pass.  Stores cryptohash to TPM
- Computer attempts to use the TPM to unlock the hard drive encryption.  IF
the state is the same (that is, no added modules, no change in boot
sequence), the drive unlocks and the system comes up for the user.

So, yes, a computer you buy from someone else may be, initially, owned by
them.  However, on the Intel platform, Microsoft says you MUST be allowed to
take control of the system (by loading your own keys to the firmware).  I'll
repeat that: MICROSOFT's specification gives YOU the ability to install your
own root of trust.

Aside: On ARM, this is not true.  On WinRT and ARM, it is always and forever
Microsoft's computer.

> Starting in 2006 with Vista, Microsoft secretly required manufactuers to
> install TPM. 
> None
> mentioned TPM. I have looked at the BIOS of numerous netbooks to make
> sure none had computrace. None of the BIOS listed TPM. Windows and Linux
> hardware profilers do not list TPM. Hence, I naively purchased netbooks
> that had TPM.

It's not generally a selling point.  Just as they don't advertise the number
of screws used in the case.  I researched my Dell E6220 specifically to find
out it DOES have a TPM chip.  And that's why I bought it.

> lsmod shows
> the TPM is enabled,  activated and being used but not by me. : 
> lsmod from live DVD of Tails using Asus 1025C netbook on Jan 9, 2013:
> tpm 17566 1 tpm_tis
> tpm_bios 12836 1 tpm
> tpm_tis 13150 0 
> lsmod from live DVD of Tails using HP Mini 1000 netbook on 9/2/2013:
> tpm 17735 1 tpm_tis
> tpm_bios 13244 1 tpm
> tpm_tis 13040 0 
> TPM is very active. I didn't encrypt my harddrive with TPM. I didn't use
> TPM. What is TPM doing?

You may as well show audio modules and ask what your speakers are doing when
your computer is silent.  Just because the module is loaded, does not mean
it is being used.  Without the trousers package, your linux computer ISN'T
using the TPM.

> I believe TPM uses hidden embedded bluetooth to disclose geolocation of
> both their UUIDs and data when the computers are offline.

You are entitled to your beliefs.  However, I hope you will listen to reason
too.  There is no reason to use "hidden bluetooth" for this.  If the goal
were simple tracking, bluetooth is far too much solution.  There are simpler
methods of tracking.

> Bluetooth is being used but not by me. 

Correction: Bluetooth is ready to be used, but you don't think you're using it.

> I searched for commands to kill TPM and found them at
> http://lunaticoutpost.com/private.php?action=send&uid=3135.  I haven't
> tried the commands as I fear TPM will still load.

Subscription required.  As I know it, you load the trousers package on
linux, and then run the tpm_take_ownership command.  If that fails, run
tpm_clear and on next boot, confirm physical presense.  This will ruin your
Windows 8 install if you're using Bitlocker.

> The crackers have complete remote control of my netbooks independent of
> the operating systems I use. They  freeze the downloading of linux ISOs.
> The ISOs I do download completely, they replace with tampered ISOs
> before I can burn them to a DVD. They won't boot. Or they do boot but
> are obviously missing packages and are obviously tampered with. Hence, I
> purchased linux DVDs from OSDisc. 
> They infected my harddrives with their bootloader. My netbooks booted up
> to their tampered OS. I removed the harddrives and returned to booting
> to live DVDs using an external DVD writer. They broke into my room,
> stole my external DVD writer, infected it with firmware rootkit and
> returned my DVD writer. 
> I attempted to install Linux on SD cards. They froze my computer during
> installation. The distros I was able to install on SD cards and boot to,
> the crackers crashed the kernel and rendered the sd cards unbootable.
> They infected my music, movie, pdfs, jpgs, doc and rtf files. They
> installed hidden protected encrypted partitions on my flashdrives and sd
> cards that auto run when inserted into a Linux or windows computer. The
> malware infects the computer and phones home to the crackers and I
> become geolocated. After booting to a live DVD of Ubuntu Privacy Remix, 
> truecrypt, which is preinstalled in UPR, asks for a password. Opening
> the media folder in root shows several harddisks for my sd card as well
> as for my flashdrive. Killdisk detects the hidden partitions as
> individual harddisks, not as partitions. Wiping the sd cards and
> flashdrives with a live CD of hdat2, killdisk, DBAN and BC Wipe Out do
> not delete the hidden partitions. 
> After booting to a live DVD of Security Onion, I am asked to choose a
> program to open the null files. I check show hidden files. I do not see
> hidden files. The null files are either in the hidden protected
> encrypted partitions or in folders that I initially had created but the
> crackers changed the permissions of. They frequently denied me access to
> my own files and folders. I cannot open them nor delete them. I can only
> wipe the cards to delete the folders and files.I also have been unable
> to change the file permissions of the rest of my files which is read,
> write and execute. Error message: "You are not the owner so you cannot
> change the permissions." Logging in as root does not help as the
> crackers immediately log in as root after boot up. 

You are describing a National level of effort, targeted at hassling you. 
Seriously, I doubt anyone would go to this length.  Not even Anonymous would
bother this hard.

More information about the arm-netbook mailing list