Saturday, 24 August 2013

Microsoft hits back at German security body over Windows 8 security claims

signage-microsoft
Microsoft has lashed out at the German Federal Office for Information (BSI) over claims its Windows 8 operating is unfit for use in government and critical infrastructure areas.
In a statement sent to V3 a Microsoft spokesperson said the BSI's claims that companies deploying Windows 8 on machines with a Trusted Platform Module (TPM) chip could lose control of their systems are misguided.
"Windows has made a fundamental bet on trustworthy hardware and TPM 2.0 is a key component. Based in no small part on lessons learned in the TPM 1.2 timeframe, TPM 2.0 is designed to be on by default with no user interaction required Since most users accept defaults, requiring the user to enable the TPM will lead to IT users being less secure by default and increase the risk that their privacy will be violated. We believe that government policies promoting this result are ill-advised," read the statement.
"It is also important to note that any user concerns about TPM 2.0 are addressable. The first concern, generally expressed as 'lack of user control,' is not correct as OEMs have the ability to turn off the TPM in x86 machines; thus, purchasers can purchase machines with TPMs disabled (of course, they will also be unable to utilize the security features enabled by the technology)."
Questions about Windows 8's security initially surfaced when reports broke suggesting that a leaked BSI document proved Microsoft had built a back door into the OS, letting it, or the NSA, hijack control of the machine from the end-user.
The reports led to wider concerns that Microsoft was helping the NSA, which ran the infamous PRISM campaign, siphon information from companies.
The spokesperson moved to quell these rumours, saying, "Since the adoption of the Trustworthy Computing Initiative over 10 years ago, Microsoft has focused relentlessly on the security and privacy of IT users. Indeed, we are committed to building products that are SD3 (Secure by Design, Secure by Default, and Secure in Deployment) and PD3 (Privacy by Design, Privacy by Default, and Privacy in Deployment). It is also important to remember that one cannot have privacy without good security."
The BSI reacted to the reports by releasing an official statement criticising the lack of user control in Windows 8. The Microsoft spokesperson attacked this supposition, arguing, "Windows has been designed so that users can clear/reset the TPM for ownership by another OS if they wish. Many TPM functions can also be used by multiple OSes (including Linux) concurrently."
Microsoft's rebuttal of the BSI's claims has been backed by members of the security community. F-Secure security research Sean Sullivan told V3 that the BSI has a chequered past regarding Microsoft and it is unlikely that the current accusations have much weight.
At the time of publishing the BSI had not responded to V3's request for comment on Microsoft's rebuttal.

No comments:

Post a Comment