The Dangers of Microsoft Pluton

What you can install on YOUR pc will be at the sole mercy of microsoft/or maybe someone else.... That's the cusp of it. Not that it can be used for good, but that it sets the way for heavy misuse by large corporations.

Wait a few years. Smaller companies won't even be allowed to order high end cpu's. You'll be at 100% mercy of these corporations.

If after 2 years they decide to brick your pc, they'll just do it. You think government will help you out here? Lol...

still waiting on the secure boot lockdown everyone has insisted is coming for the better part of two decades...

You may be right, of course. But if you read the article closely, it is already here.

The difference is for now you can still go to BIOS and enable Microsoft's key for 3rd party OS.

Maybe when Windows 12 comes out that option isn't there.

It is a real thing on most phones, and has been for years. We're just lucky PCs haven't been crippled this way.

They're working on it. Microsoft's latest attempt is to disable the 3rd party UEFI CA by default.

I'm pretty sure some Windows 10 tablets from 2014 to 2016 are locked down to only allow Windows on them (Not S-mode).

You mean like this ?

https://www.theregister.com/2022/07/11/lenovo_secured_core/

It creeps closer with every release, and is the status quo for arm devices (including windows ones).

It's only through constant vigilance and fighting back that it has been slowed dowm by two decades.

>As of January 2021 deleting SecureBoot keys and installing your own keys (for example by using KeyTool) will brick the device. This is a problem that is similar to one which has been reported on some other Lenovo laptops [0] and is likely due to a faulty firmware. If the device is stuck in a boot loop after replacing the SecureBoot keys, the only way to repair it is by replacing the mainboard of the device.

[0] https://forums.lenovo.com/t5/ThinkPad-X-Series-Laptops/BIOS-...

From https://wiki.archlinux.org/title/Lenovo_ThinkPad_T14/T14s_(I...

Secure chips like this are already in all devices but PCs. And in none of these areas has any of that happened. Quite the opposite, Apple got a fine when they slowed down older devices to save battery (at least what they said).

So the government will clearly help out here. And none of these companies has an incentives to stop sales to smaller companies, they make a lot of money with those.

> Quite the opposite, Apple got a fine when they slowed down older devices to save battery

But the devices were actually slowed down, so the danger is real.

> Secure chips like this are already in all devices but PCs. And in none of these areas has any of that happened.

Ah, that must be why we all have root access and can freely modify or install anything we want on every device we own! Oh, wait, we don't have those things and our non-PC systems are increasingly locked down and routinely do things against the wishes of the people who own them.

They tried with Windows RT. It was UEFI system, booting only Windows. That booted Windows went even further, allowing to run only signed binaries.

Market rejected it. At the time, there was an alternative. What are most people going to do, when there is not?

> So the government will clearly help out here.

I...don't share your optimism, to put it lightly.

And Apple had to revert it and got punished for it. What more do you want?

Try to install a BitTorrent client on your iphone, or a game emulator, a sexually explicit game or even a browser with a different engine.

All this has already happened since 2008 when the app store came out.

Good laws should prevent crimes, not just punish for committing them.

Does reflashing the BIOS EEPROM (via hardware clip) work? Or have they "secured" that out of the question too?

The goal is not to prevent you from running Linux, is to make it so that Linux cannot access the content you are interested in.

Remote Attestation establishes a root of trust that can be used to verify that all of the software down the line is "approved":

- You won't be able to browse sites or use apps with ads unless you run a 'trusted' device, OS and browser that does not block ads.

- You won't be able to browse sites with captchas unless you run a 'trusted' device, OS and browser that does not allow bots to interact with the browser.

- You won't be able to run Netflix unless you run a 'trusted' device, OS and browser so that you can't record the content.

- You won't be able to play online games unless, again, you run a 'trusted' device and OS so that you cannot cheat, or more importantly modify it in any way (why would you purchase skins if you can mod them in?).

- You won't be able to use online banking unless you use a trusted OS because banks.

Remote Attestation is pretty terrifying and it will be here soon unless it is regulated out of existence, which is unlikely.

As someone who enjoys hacking, looking at that list sounds terrible.

As a regular user, most of that list doesn't sound too bad. Their future devices will automatically have these features enabled, they're not likely to change those settings to "break" their device (from the perspective of Trusted Computing) so they'll have a smooth experience getting into it.

- Can't block ads? A lot of average users already don't/don't know how, but this one would probably would affect a lot of people. Probably a bad thing no matter how you slice it.

- They'll have a better experience online as they won't be interrupted with captchas. Wouldn't you prefer if you never experienced captchas and logins were smoother and easier? So a wash to a positive for an average user.

- This makes it an easier deal for streaming services to let you cache their DRM'd content offline and makes the deals they have to cut with media companies potentially cheaper. Once again they're probably buying off the shelf computing devices which will probably work seamlessly with these restrictions, so they either won't notice anything or potentially get more features than they have now with those services they're already using. I'm not necessarily a fan of DRM but the market has largely spoken, people prefer streaming rather than actually owning the media.

- Fewer cheaters in online games sure sounds like a positive to me.

- My bank account online is more secure? This is a bad thing?

But you could work around it at the software level.

With this tech stack, you wouldn't be able to.

> So the government will clearly help out here.

The government is probably part of the driving factor in building this system.

The government probably doesn't want Wikileaks type material to be rendered. There are _so_ many ways the government likely wants to abuse this.

This smacks of fear mongering. The scenario you've outlined is just absurd. Many manufactures have pledged to turn this off by default and be an opt-in model. I'm not disagreeing that laptops given out by corporations for to you to use for work won't be heavily locked down and could be bricked remotely. But most laptops today already come this way from IT.

It's not absurd at all. It already happens on a large portion of computing devices in existence (iOS).

Work around how? As a developer?

I'm sure there will be developer options for this too. After all, Microsoft is not going to make all the software themselves.

But they could restrict this too. For a lot of platforms you now have to sign up for a developer account and license agreement. Like on iOS, Oculus Quest..

I'd be surprised if that's not one of the bits of firmware that's checked on boot. So yeah, probably not possible, and not possible to downgrade.

The goal is that it's secured as well; the bios image itself is measured into the TPM and pluton as part of secure boot.

This is all just giving away control to corporations. Freedom is about having the option, not using it. Even if most "regular users" never use it, if they ever change their mind they'll surely appreciate having it. It also affects the ability to develop new hardware, and being locked to hardware/software approved by the remote side (e.g. Facebook or whichever app/site you're using) is a pretty Dystopian reality.

> My bank account online is more secure?

Sincerely, why? Because I can't customize my own software anymore? Fortunately banks around here don't require SafetyNet, some of them do require a mobile device though.

If all clients interfacing with the bank's API are required to prove they're locked down devices running proven official clients it reduces the potential attack surface. Lowering the attack surface increases the security.

If the market really cared about being able to run whatever software you wanted, nobody would be buying iPhones. Fire TV sticks and Rokus wouldn't move any products. Playstations, Xboxes, and Nintendo Switches would be crushed under the massive marketshare of Mister devices and Steam PCs. One quick look at reality shows this isn't the case.

I think you're massively overestimating the market size of people who actually care.

Note that I'm not making any moral argument here, I'm not saying whether these things are good or bad. Personally as someone who likes to tinker and has been bitten several times by DRM and the likes, I'm not too much of a fan. As someone who has to try and ensure compliance on devices, its a godsend. But at the same time I know lots of people who buy Xboxes and Playstations because there's less cheating that happen on that platform. I know lots of people who buy iPhones and iPads because they know the odds of accidentally getting malware on it is very low compared to alternatives. To them, locked down hardware is a selling point.

I don't like having to lock my bike, its a huge pain. But at the same time there's tons of people here arguing locks shouldn't exist. Trusted computing, in the right context, is a good thing. Being able to lock your door is good! Being able to assure your device is what you say it is is good! I definitely agree there are potential dystopian futures with this technology, but that's true of any truly revolutionary technology. Wheels move carts of grain and help tanks roll. Being able to break dinitrogen into more usable sources gives us cheap fertilizer and explosives.

>- You won't be able to browse sites

How would that work?

HTTP is just HTTP

> I think you're massively overestimating the market size of people who actually care. Note that I'm not making any moral argument here, I'm not saying whether these things are good or bad.

I think we're just discussing different things here then. I'm specifically talking about whether this is good or bad for the future of society. Most people buy whatever is most convenient at the time, which is fair and everyone has done this at some point, but it may or may not the best for society.

> I know lots of people who buy iPhones and iPads because they know the odds of accidentally getting malware on it is very low compared to alternatives. To them, locked down hardware is a selling point.

It may be a bubble, but of all the iPhone users I know, I don't think any of them has bought it for that reason. Most here buy them for either being simpler to use, lasting longer, or status. Of all the Android users I know, I don't know any that has knowingly got any kind of malware, and that includes people with very old phones.

Sites could require remote attestation via a new API just like some sites (Netflix, etc) require DRM to play content.

I've had several people I've known affected by malware on Android. Its not entirely uncommon.

The website says "prove that you don't control this computer or I don't serve you"

As does every financial or government website for 'security'

Soon you will be able to do it in EU, thanks to government.