AMD fTPM hacked

[PocketNerd]

19 minutes ago, StDragon said:

Run the following command from an elevated prompt.

manage-bde -status

If the Encryption Method says "XTS-AES 128", then it's software defined BitLocker encryption which the vast majority of the implementations are. However if it says "Hardware Encryption" then the drive is a SED using the TCG Opal standard.

To view the recovery password you can also run this command

manage-bde -protectors -get c:

 

Which is great when the machine boots into a non-corrupted Windows

[leadeater]

8 hours ago, LAwLz said:

All of those links just seem to confirm what I said.

The fTMP and IME are two separate things. Attacks on the IME can compromise the fTPM since the IME has access to everything, but that does not mean they are the same thing.

Well I'd disagree with that since it doesn't matter how fTPM is compromised if it's been compromised. TPM is supposed to be a secure isolated environment to put specially protected data so a compromise of it's management engines (CPU or PCH) that gives access to TPM is a security flaw with fTPM.

 

It's an unnecessary splitting of hairs. This issue is that protected TPM data can be accessed when it shouldn't be able to.

 

Intel's management engines provide platform security functions, some of those run in the chipset and some of those run in the CPU. They talk to each other which means fTPM is not solely and only incorporated in the CPU and does not only function within the CPU.

 

Quote

Intel® Platform Trust Technology (Intel® PTT) - Intel® Platform Trust Technology (Intel® PTT) offers the capabilities of discrete TPM 2.0. Intel PTT is a platform functionality for credential storage and key management used by Windows 8* , Windows® 10 and Windows* 11. Intel PTT supports BitLocker* for hard drive encryption and supports all Microsoft requirements for firmware Trusted Platform Module (fTPM) 2.0.

 

Quote

Intel® Platform Trust Technology (Intel® PTT) Vulnerability in Systems Using Intel® CSME and Intel® TXE (Intel-SA-00142)

Documentation

Content TypeProduct Information & Documentation

Article ID000030081

Last Reviewed09/13/2018

In an effort to continuously improve the robustness of the Intel® Platform Trust Technology (Intel® PTT), Intel has performed a security review of its Intel® PTT. As a result, Intel has identified a potential vulnerability in the Intel® PTT module that may allow information disclosure of certain Intel PTT data via physical access.

Firmware updates have been provided to system manufacturers that resolve the issue. Intel recommends that you check with your system manufacturers to determine the availability of their firmware update. Then apply available updates in a timely manner.

 

Quote

A potential vulnerability in the Intel® PTT module in Intel® CSME firmware and Intel® TXE firmware may allow information disclosure. Intel is releasing Intel® CSME firmware and Intel® TXE firmware updates to mitigate this potential vulnerability.

 

I simply cannot see the argument that these are sperate things when Intel themselves aren't saying so. PTT = fTPM, PTT vulnerability in CSME/TXE ergo since these are directly linked they are not actually separate.

[LAwLz]

12 hours ago, YoungBlade said:

Encryption using TPM. That's what this thread is about. Were you referring to something else?

The TPM does more than just encrypt stuff, and when I say "properly implemented security" I am not just talking about BitLocker. That's why I mentioned programs such as Signal, iOS's FDE and so on. 

 

I wouldn't really trust BitLocker with some types of sensitive data because I assume that's backdoored by Microsoft. It should (and does) protect against most thieves but maybe not government agencies. 

 

If you think that as soon as someone gets their hands on the hardware it should be treated as compromised, why would anyone serious with security even bother? Why do you think the most security conscious government agencies require FDE if it can't be trusted anyway? Your quote doesn't make any sense. It's just a catchy sounding quote parroted by people who doesn't know anything about security. 

[LAwLz]

5 hours ago, leadeater said:

It's an unnecessary splitting of hairs. 

In practice it doesn't matter, which is why I said that in my earlier post. But i think it is important to be specific when talking about security, and since I hadn't heard about some exploits against Intel's fTPM itself, and couldn't find any on the first page on Google, I asked you. You provided at least one fTPM specific vulnerability that I didn't know about. That was it. 

I feel like you're reading way too much into my original post. 

[YoungBlade]

12 minutes ago, LAwLz said:

The TPM does more than just encrypt stuff, and when I say "properly implemented security" I am not just talking about BitLocker. That's why I mentioned programs such as Signal, iOS's FDE and so on. 

 

I wouldn't really trust BitLocker with some types of sensitive data because I assume that's backdoored by Microsoft. It should (and does) protect against most thieves but maybe not government agencies. 

 

If you think that as soon as someone gets their hands on the hardware it should be treated as compromised, why would anyone serious with security even bother? Why do you think the most security conscious government agencies require FDE if it can't be trusted anyway? Your quote doesn't make any sense. It's just a catchy sounding quote parroted by people who doesn't know anything about security. 

You bother with security because you hope that it works. You assume it's compromised because it might be. Hope for the best, assume the worst.

 

I can guarantee you that, if a laptop belonging to a government agent were stolen, the agency in question would take every possible precaution - acting as if the data was compromised. Do you really think that, if someone stole the Nuclear Football, that all of the codes wouldn't be changed ASAP? It doesn't matter how good your security measures are, you don't trust something like that in the hands of a bad actor.

[LAwLz]

3 minutes ago, YoungBlade said:

You bother with security because you hope that it works. You assume it's compromised because it might be. Hope for the best, assume the worst.

You sure like catchy quotes. I don't think "hope for the best, assume the worst" is good either when it comes to security.

I find that these extreme opinions that contain no nuance are often held by people who severely lack understanding of the subject. Because they don't understand something they act according to some extreme in the hopes that they are at the very least on the right side. I am not saying that you fit that description, but right now it seems to me like you do.

 

7 minutes ago, YoungBlade said:

I can guarantee you that, if a laptop belonging to a government agent were stolen, the agency in question would take every possible precaution - acting as if the data was compromised. Do you really think that, if someone stole the Nuclear Football, that all of the codes wouldn't be changed ASAP? It doesn't matter how good your security measures are, you don't trust something like that in the hands of a bad actor.

And I can guarantee you that, because I work for the military regarding security, and I am certified in INFOSEC according to CNSS and NSA standards, that no, if a laptop belonging to a government agent were stolen they would not act as if the data was compromised or "take every possible precaution". The answer to how they would act would be "it depends".

Nuance is what's missing from this conversation. It depends on which information it contained, it depends on what security measurements were in place, it depends on how easy or hard the counter measurements would be. Like I said earlier, a lot of services and functions rely on the fact that having hardware access doesn't compromise the device itself. You don't rebuild your entire wireless environment just because someone can physically touch one access point, even though the access point contains a lot of sensitive data.

[StDragon]

C

7 hours ago, LAwLz said:

I wouldn't really trust BitLocker with some types of sensitive data because I assume that's backdoored by Microsoft. It should (and does) protect against most thieves but maybe not government agencies.

FYI, you can configure BitLocker to be FIPS 140-2 compliant; a security standard that both US and Canada agencies adhere to.

With regards to the recovery code, for home users it's typically going to be backed up to your Microsoft account, and I doubt it would take much effort for agencies to subpoena access to the account in order to recover it. In fact, there's probably a process specifically for that to fast-track the request between agencies and Microsoft.

Additionally, within managed networks that use AD, there will be a GPO configured to backup those keys as well.

Above and beyond that, I don't think BitLocker is backdoored or other nation-states wouldn't use it.

[YoungBlade]

8 hours ago, LAwLz said:

You sure like catchy quotes. I don't think "hope for the best, assume the worst" is good either when it comes to security.

I find that these extreme opinions that contain no nuance are often held by people who severely lack understanding of the subject. Because they don't understand something they act according to some extreme in the hopes that they are at the very least on the right side. I am not saying that you fit that description, but right now it seems to me like you do.

 

And I can guarantee you that, because I work for the military regarding security, and I am certified in INFOSEC according to CNSS and NSA standards, that no, if a laptop belonging to a government agent were stolen they would not act as if the data was compromised or "take every possible precaution". The answer to how they would act would be "it depends".

Nuance is what's missing from this conversation. It depends on which information it contained, it depends on what security measurements were in place, it depends on how easy or hard the counter measurements would be. Like I said earlier, a lot of services and functions rely on the fact that having hardware access doesn't compromise the device itself. You don't rebuild your entire wireless environment just because someone can physically touch one access point, even though the access point contains a lot of sensitive data.

I was not aware that that's what you did, or else I would not have spoken so generally.

 

I work as a PHP developer, and the general rule for web servers is that you don't give access to anyone who doesn't need it. The physical servers are to be kept behind locked doors, and are only to be accessed by authorized personnel. This is a best practice for the industry. If you don't believe me, Microsoft has an entire write-up about it that shows the extremes they go to to make sure people don't walk off with server equipment: https://learn.microsoft.com/en-us/compliance/assurance/assurance-datacenter-physical-access-security

 

Obviously, most of the folks I work with don't go as far as Microsoft when it comes to physically protecting their data, but the general idea really is "physical access is root access" so you don't give anyone you don't trust physical access to anything. I'm not just saying that as a catchy quote.

 

So, to add some nuance, and to bring this back to the original post, I'll be specific: What would you advise someone do if their laptop were stolen, and it used AMD's fTPM and BitLocker with a strong password as the means of encrypting the drive?

[jagdtigger]

2 hours ago, StDragon said:

With regards to the recovery code, for home users it's typically going to be backed up to your Microsoft account, and I doubt it would take much effort for agencies to subpoena access to the account in order to recover it. In fact, there's probably a process specifically for that to fast-track the request between agencies and Microsoft.

Yep, pretty much defeating the whole purpose of encryption.....

[Holmes108]

20 minutes ago, jagdtigger said:

Yep, pretty much defeating the whole purpose of encryption.....

If your whole purpose is to keep it from the authorities.

[jagdtigger]

1 hour ago, Holmes108 said:

If your whole purpose is to keep it from the authorities.

The purpose is to prevent unauthorised access by 3rd party. Couldnt care less about who is that 3rd party. Plus its well known authorities like to abuse any power they have.

[StDragon]

21 minutes ago, jagdtigger said:

The purpose is to prevent unauthorised access by 3rd party. Couldnt care less about who is that 3rd party. Plus its well known authorities like to abuse any power they have.

Even with fully functional encryption you still have to abide by the local laws of the land. The issue is a flawed implementation of security that can and would be abused via illicit means. 

[jagdtigger]

2 hours ago, StDragon said:

The issue is a flawed implementation of security that can and would be abused via illicit means. 

Exactly what ms is doing by grabbing and handing keys out without proper authorization. ( And no using force like court orders is not proper authorization.)

[LAwLz]

7 hours ago, StDragon said:

FYI, you can configure BitLocker to be FIPS 140-2 compliant; a security standard that both US and Canada agencies adhere to.

With regards to the recovery code, for home users it's typically going to be backed up to your Microsoft account, and I doubt it would take much effort for agencies to subpoena access to the account in order to recover it. In fact, there's probably a process specifically for that to fast-track the request between agencies and Microsoft.

Additionally, within managed networks that use AD, there will be a GPO configured to backup those keys as well.

Above and beyond that, I don't think BitLocker is backdoored or other nation-states wouldn't use it.

I know. I use Bitlocker for work and I am not worried about it. But for personal use or if I were in a country that didn't work with the US government (ignoring all the massive amounts of spying the US government does against their allies) I wouldn't trust a closed source program made by Microsoft when there are proven open source alternatives.

I don't really think other nations using it is evidence of it not being backdoored. The US has a lot of influence and can force other countries to comply with their demands.

 

 

6 hours ago, YoungBlade said:

I work as a PHP developer, and the general rule for web servers is that you don't give access to anyone who doesn't need it. The physical servers are to be kept behind locked doors, and are only to be accessed by authorized personnel. This is a best practice for the industry. If you don't believe me, Microsoft has an entire write-up about it that shows the extremes they go to to make sure people don't walk off with server equipment: https://learn.microsoft.com/en-us/compliance/assurance/assurance-datacenter-physical-access-security

 

Obviously, most of the folks I work with don't go as far as Microsoft when it comes to physically protecting their data, but the general idea really is "physical access is root access" so you don't give anyone you don't trust physical access to anything. I'm not just saying that as a catchy quote.

Limiting access is good, but I think you are jumping to some conclusions.

First of all, a ton of web servers today are run on someone else's hardware. Just look at how much data goes through AWS and Azure. The companies hosting their services there are in fact giving away control of the hardware. But it's a very complicated subject and there are a lot of nuances to it. I doubt for example NASA treats all their data as completely lost just because they host it on someone else's server (in this case, Amazon). Apple hosts iCloud on Azure and I don't see them treat all the data hosted on iCloud as being compromised just because someone else has physical access to their servers. Pixar doesn't treat all their movies as compromised and leaked just because they host their stuff on Azure. Pfizer does not treat all their medical research as compromised just because it's hosted on AWS. All of these things are companies handing over physical access to their data center to someone else.

In the case of these companies in some sense, they have handed over the software portion as well, which is a far bigger threat than handing over control of the hardware.

 

A lot of the security precautions done for Microsoft's data centers are not because they are scared people can access their servers and compromise them. A massive reason for limiting physical access is so that someone doesn't go in and break stuff which could cause data loss or outages. A tiny part of it is also a bit of a show to get companies to trust them more. But it is also about minimizing risk. Fewer people in = less likely that something could go wrong. But the important point is that you should not panic and act as if everything is lost as soon as someone has physical access. The entire reason why we have things like TPMs, FDE, encrypted data at rest, memory encryption, secure boot, etc, is to protect against attacks even when someone has physical access.

You take sane and reasonable precautions depending on what was lost and how it was lost. You don't assume the worst has happened and act according to that. You usually assume the most plausible thing has happened, and then maybe take some reasonable security precautions if something unlikely but still plausible has happened, depending on the situation.

 

Again, you don't completely redo an entire Wi-Fi environment just because someone steals an access point, nor do you assume all communications done on that Wi-Fi network is completely open for everyone else to read and see, even if that access point may or may not contain things like the RADIUS secret and private keys for WPA encryption.

 

 

 

 

6 hours ago, YoungBlade said:

So, to add some nuance, and to bring this back to the original post, I'll be specific: What would you advise someone do if their laptop were stolen, and it used AMD's fTPM and BitLocker with a strong password as the means of encrypting the drive?

Depends on what they had on that laptop and how it was configured.

I'd probably do a quick risk analysis and fix some of the low-hanging fruits. Like invalidate my logins for some services just in case, somehow, for some reason, they got into the laptop. The likelihood is very small, but it's an easy thing to do and it doesn't hurt anything.

I wouldn't ask the military to redesign their entire network just because I may or may not have had some information regarding that on my laptop. I wouldn't start changing all my passwords because they are behind multiple levels of protection and even IF one of those layers failed, the other ones most likely wouldn't. 

What I would advise or do have a ton of asterixis and "ifs" and "buts" associated with it depending on the situation.

 

 

5 hours ago, jagdtigger said:

Yep, pretty much defeating the whole purpose of encryption.....

It depends on what the purpose is.

Is it to protect your data against a random thief stealing your computer?

Is it to protect your data against Microsoft stealing it?

 

Different solutions for different issues. I'd agree with you that a good solution would prevent any unauthorized access (like how Apple does it) but I wouldn't call what Microsoft does "defeating the whole purpose". Far from it. It protects from the most realistic threat that their customers are exposed to. They could probably do it better, but that does not mean they are doing it poorly.

[YoungBlade]

43 minutes ago, LAwLz said:

Limiting access is good, but I think you are jumping to some conclusions.

First of all, a ton of web servers today are run on someone else's hardware. Just look at how much data goes through AWS and Azure. The companies hosting their services there are in fact giving away control of the hardware. But it's a very complicated subject and there are a lot of nuances to it. I doubt for example NASA treats all their data as completely lost just because they host it on someone else's server (in this case, Amazon). Apple hosts iCloud on Azure and I don't see them treat all the data hosted on iCloud as being compromised just because someone else has physical access to their servers. Pixar doesn't treat all their movies as compromised and leaked just because they host their stuff on Azure. Pfizer does not treat all their medical research as compromised just because it's hosted on AWS. All of these things are companies handing over physical access to their data center to someone else.

That is not at all what I was talking about. You accuse me of being about to make a strawman, and you do exactly that by assuming I'm implying that anyone with physical access to hardware other than the owner of the data is a form of compromise. No one is arguing that - that would be insane. If I give my laptop to my fiancee or my mom or my best friend to borrow, I don't assume that the data is compromised, because those people are not bad actors. But if I'm at a coffee shop and go up to the counter to get some sugar, only to come back and find that it's gone, now I'm concerned. Just putting the data on Microsoft's servers is not a form of compromise. If Microsoft had a breach of their security, where someone unauthorized got in and stole drives or other hardware containing customer data, that's when the companies involved would have reason to be concerned.

43 minutes ago, LAwLz said:

Depends on what they had on that laptop and how it was configured.

I'd probably do a quick risk analysis and fix some of the low-hanging fruits. Like invalidate my logins for some services just in case, somehow, for some reason, they got into the laptop. The likelihood is very small, but it's an easy thing to do and it doesn't hurt anything.

I wouldn't ask the military to redesign their entire network just because I may or may not have had some information regarding that on my laptop. I wouldn't start changing all my passwords because they are behind multiple levels of protection and even IF one of those layers failed, the other ones most likely wouldn't. 

What I would advise or do have a ton of asterixis and "ifs" and "buts" associated with it depending on the situation.

Given how the LTT attack went down, I wouldn't put my trust in things like MFA to be the only means of protection. Just having your browser perpetually logged in to your sites is a pretty big risk, and it's something that almost everyone does. If the attacker gets access to Windows, and you haven't changed the password and/or told the service to log that laptop out of that site, then the attacker is in for any service your laptop is logged in for, regardless of MFA or pretty much any other security you might have.

 

To me, that's too big of a risk. At the bare minimum, I'd do a force sign-out of all devices from all of my accounts, assuming the website allows for that, and I'd probably just change all of the passwords to force the issue as well - as most sites invalidate cookies if the password changes.

 

And while modern encryption methods are very good, they're all vulnerable to the progress of technology, if nothing else. I remember the days when MD5 was how you were supposed to store passwords on a database - it was common even into the 2000s - which is why in 2005 the guy who wrote it had to tell people to stop using it. Not everyone listened, and there were some successful attacks against it. Even with the flaws, the thing that totally killed it was modern hardware being way too fast compared to the hardware available in 1991 when it was made. There is a good chance that advances in quantum computing will render today's security equally useless in the future.

 

Maybe I should have more faith in these encryption methods, but I worry that we're not too far away from seeing RSA and SHA in the same light as MD5.

[StDragon]

2 hours ago, jagdtigger said:

Exactly what ms is doing by grabbing and handing keys out without proper authorization. ( And no using force like court orders is not proper authorization.)

MS isn't handing out keys unless they're legally required to. If you have proof to the contrary (voluntary for the lulz), that's newsworthy and I would challenge you to cite such an incident.

 

53 minutes ago, LAwLz said:

But for personal use or if I were in a country that didn't work with the US government (ignoring all the massive amounts of spying the US government does against their allies) I wouldn't trust a closed source program made by Microsoft when there are proven open source alternatives.

With regards to closed source vs OSS, that's a valid point. But do understand that if you step foot in another nation, legally their customs and border patrol could demand seizure of the encrypted device in question, and demand credentials and/or the key to decrypt the contents.

 

Protip: When flying international (depending on the destination), this is why you bring a burner phone/laptop that doesn't contain any data you wouldn't want exposed. 

[LAwLz]

11 minutes ago, YoungBlade said:

That is not at all what I was talking about. You accuse me of being about to make a strawman, and you do exactly that by assuming I'm implying that anyone with physical access to hardware other than the owner of the data is a form of compromise. No one is arguing that - that would be insane. If I give my laptop to my fiancee or my mom or my best friend to borrow, I don't assume that the data is compromised, because those people are not bad actors. But if I'm at a coffee shop and go up to the counter to get some sugar, only to come back and find that it's gone, now I'm concerned. Just putting the data on Microsoft's servers is not a form of compromise. If Microsoft had a breach of their security, where someone unauthorized got in and stole drives or other hardware containing customer data, that's when the companies involved would have reason to be concerned.

You're missing the point.

If you think that Apple blindly trusts Microsoft and would gladly give them root access to all their servers just because they trust them, then you are wrong.

There are plenty of companies that would not trust giving Microsoft root access to their servers, yet are willing to give them physical access to their servers. Again, there are a host of hardware and software implementations that are designed specifically to protect against attacks from someone with access to the hardware. Those things weren't invented for fun. They were invented so that we wouldn't have to always assume that everything was compromised as soon as some with potentially ill intentions got a hand on our hardware.

 

 

14 minutes ago, YoungBlade said:

Given how the LTT attack went down, I wouldn't put my trust in things like MFA to be the only means of protection.

I am not sure what you're talking about or why you are bringing up MFA. MFA is not a counter-measurement to hardware-based attacks.

I haven't followed the LTT attack but I would be very surprised if they had proper security measurements in place. Their MO seems to be to half-ass everything because it makes for fun content. If there is anyone you absolutely shouldn't look at for advice on how to do things properly, it's LTT.

 

 

16 minutes ago, YoungBlade said:

And while modern encryption methods are very good, they're all vulnerable to the progress of technology, if nothing else. I remember the days when MD5 was how you were supposed to store passwords on a database - it was common even into the 2000s - which is why in 2005 the guy who wrote it had to tell people to stop using it. Not everyone listened, and there were some successful attacks against it. Even with the flaws, the thing that totally killed it was modern hardware being way too fast compared to the hardware available in 1991 when it was made. There is a good chance that advances in quantum computing will render today's security equally useless in the future.

I think you should do a bit of research on modern encryption algorithms before making comments about them. We have quantum-resistant algorithms already. AES256 is quantum resistant for example because it does not rely on the things quantum computers are believed to excel at, more specifically factorization and discrete logarithm math.

Also, Ron Rivest didn't exactly "tell people to stop using it [MD5]". He said it had been broken in terms of collision resistance. I am not even sure there were any successful attacks done by exploiting it. I think there was some proof of concept and research done, but I don't think it ever became a big issue because we had already moved on to large-key SHA hashing. But now we are talking about hashing for some reason, which is not encryption. It's related to cryptography, but it's not encryption. You don't encrypt things with MD5 or SHA.

[leadeater]

7 hours ago, jagdtigger said:

Exactly what ms is doing by grabbing and handing keys out without proper authorization. ( And no using force like court orders is not proper authorization.)

What is proper authorization then? Ask kindly to the criminals doing illegal activities to please hand over evidence and incriminate themselves?

 

Court orders are the proper authorization for this. You can argue that a court may be too willing to grant such an order but that's a different issue to whether or not a court order is proper authorization.  Just because it's "yours" doesn't mean you and only you ever in all situation until the universe explodes get the only say over it.

 

Privacy advocate != anarchist

Anarchist != Privacy advocate

 

Know the line, fall where you want, just identify as which side correctly 

 

[jagdtigger]

9 hours ago, StDragon said:

MS isn't handing out keys unless they're legally required to.

11 hours ago, jagdtigger said:

And no using force like court orders is not proper authorization.

And thats the end of this argument. Anyone besides you is not authorized to access your PC, a court order or any law has no effect on this fact. Also MS taking the keys without prompt and approval from the user is also very shady...

[leadeater]

2 hours ago, jagdtigger said:

And thats the end of this argument. Anyone besides you is not authorized to access your PC, a court order or any law has no effect on this fact. Also MS taking the keys without prompt and approval from the user is also very shady...

Your freedoms including privacy and the right to even own a PC are that they are due to laws. So now you want to be all picky choosey about which ones you want to follow and say are fine and not others? Hmmm?

 

So are you first in line to give up your legally protected freedoms?

[Arika]

5 hours ago, jagdtigger said:

And thats the end of this argument. Anyone besides you is not authorized to access your PC, a court order or any law has no effect on this fact.

So courts can grant warrants to obtain access to your house...but not your PC? Since when were PCs outside of the law?

[StDragon]

11 minutes ago, leadeater said:

Your freedoms including privacy and the right to even own a PC are that they are due to laws. So now you want to be all picky choosey about which ones you want to follow and say are fine and not others? Hmmm?

 

So are you first in line to give up your legally protected freedoms?

That entirely depends on where you live. But that statement isn't true as far is the US goes. The US constitution doesn't grant rights because they're inalienable, rather, it's a framework of restrictions on the Gov. 
 

In the context of encryption, you can't be forced to self incriminate (the 5th amendment) by giving up your password. That doesn't mean your device can't be cracked or your biometrics taken by force however.

 

[leadeater]

9 minutes ago, StDragon said:

That entirely depends on where you live. But that statement isn't true as far is the US goes. The US constitution doesn't grant rights because they're inalienable, rather, it's a framework of restrictions on the Gov. 
 

In the context of encryption, you can't be forced to self incriminate (the 5th amendment) by giving up your password. That doesn't mean your device can't be cracked or your biometrics taken by force however.

 

 

Quote

On September 25, 1789, the First Congress of the United States proposed 12 amendments to the Constitution. The 1789 Joint Resolution of Congress proposing the amendments is on display in the Rotunda in the National Archives Museum. Ten of the proposed 12 amendments were ratified by three-fourths of the state legislatures on December 15, 1791. The ratified Articles (Articles 3–12) constitute the first 10 amendments of the Constitution, or the U.S. Bill of Rights.

It's very much laws and legal, founding documents still fall under this. That is the legal recognition that these rights should be inalienable. Without it you don't have it no matter if these rights are "inalienable".

[jagdtigger]

40 minutes ago, leadeater said:

Your freedoms including privacy and the right to even own a PC are that they are due to laws. So now you want to be all picky choosey about which ones you want to follow and say are fine and not others? Hmmm?

 

So are you first in line to give up your legally protected freedoms?

Now you are just putting words in my mouth. Argument ended on my side.

[DrMacintosh]

If your Windows laptop is stolen and the drive is removable and you have a Home Edition of Windows, you're pwned. Microsoft does not encrypt your local storage unless you have a pro license and specifically enable BitLocker. Hacking the TPM is almost not even a concern because someone can just take the drive out and read all your data.