German gov’t: Windows 8 contains possible backdoor for NSA, Chinese

I’ve been wondering about Pentagon backdoors into personal computers for quite some time. Now we know. According to the German government, who had people in the room when the Windows 8 backdoor system was designed, Window 8 machines with the “Trusted Computing” chip are not to be trusted. They contain hardware and software that give anyone — including potentially the NSA and even the Chinese — with the embedded “control key” complete access to your system.


From a translation of the original German article (my emphasis and adjustments to the translation):

Windows 8 is an unacceptable security risk for companies and authorities, experts warn the government. [S]o-called Trusted Computing is [said to be] a back door for the NSA.

(“Windows 8 ist ein inakzeptables Sicherheitsrisiko für Behörden und Firmen, warnen Experten der Regierung. Das sogenannte Trusted Computing sei eine Hintertür für die NSA.”)

Looks straightforward to me. Have you bought your PC from the Pentagon? If you bought Windows 8, and if Microsoft is in bed with the NSA, you have.

The details

Wolf Richter at Business Insider, reporting on an article in the German-language newspaper Die Zeit, has the story (h/t the Naked Capitalism links page; my emphasis and some reparagraphing everywhere):

According to leaked internal documents from the German Federal Office for Information Security (BSI) that Die Zeit obtained, IT experts figured out that Windows 8, the touch-screen enabled, super-duper, but sales-challenged Microsoft operating system is outright dangerous for data security. It allows Microsoft to control the computer remotely through a built-in backdoor.

Keys to that backdoor are likely accessible to the NSA – and in an unintended ironic twist, perhaps even to the Chinese.

The backdoor is called “Trusted Computing,” developed and promoted by the Trusted Computing Group, founded a decade ago by the all-American tech companies AMD, Cisco, Hewlett-Packard, IBM, Intel, Microsoft, and Wave Systems. Its core element is a chip, the Trusted Platform Module (TPM), and an operating system designed for it, such as Windows 8. Trusted Computing Group has developed the specifications of how the chip and operating systems work together.

Its purpose is Digital Rights Management and computer security. The system decides what software had been legally obtained and would be allowed to run on the computer, and what software, such as illegal copies or viruses and Trojans, should be disabled. The whole process would be governed by Windows, and through remote access, by Microsoft.

Now there is a new set of specifications out, creatively dubbed TPM 2.0. While TPM [1.0] allowed users to opt in and out, TPM 2.0 is activated by default when the computer boots up. The user cannot turn it off. Microsoft decides what software can run on the computer, and the user cannot influence it in any way.

Windows governs TPM 2.0. And what Microsoft does remotely is not visible to the user. In short, users of Windows 8 with TPM 2.0 surrender control over their machines the moment they turn it on for the first time.

It would be easy for Microsoft or chip manufacturers to pass the backdoor keys to the NSA and allow it to control those computers.

No kidding. And would Microsoft actually do that? You know the answer is yes, because they’re already in bed with the Pentagon. They may have even developed the spy-chip in the first place at the request of the Pentagon — sorry, NSA — and simply ladled Digital Rights Management on top of it — either as a property-rights cover story, or a property-rights wet dream, or both.

More at the link. Translated version of Die Zeit article is here (note, not human-translated).

A few more data points, then your takeaways. The hardware heart of the backdoor is the “Trusted Platform Module (TPM)” — some Orwellian genius named it perfectly. The original TPM (1.0) chip is opt in–opt out. The TPM 2.0 chip, on the other hand, turns on by default the first time you boot the machine. I know I quoted this above, but it bears memorization:

While TPM [1.0] allowed users to opt in and out, TPM 2.0 is activated by default when the computer boots up. The user cannot turn it off. … Windows governs TPM 2.0. And what Microsoft does remotely is not visible to the user. … [U]sers of Windows 8 with TPM 2.0 surrender control over their machines the moment they turn it on for the first time.

Anyone with the “control key,” which is generated and added to the chip during production, can control the machine:

[D]uring production, the secret key to that backdoor is generated outside the chip and then transferred to the chip. During this process, copies of all keys can be made. “It’s possible that there are even legal requirements to that effect that cannot be reported.” And so the TPM is “a dream chip of the NSA.”

Perhaps even more ominously, he added: “The other realistic scenario is that TPM chip manufactures [factories] don’t sit within reach of the NSA, but in China….”

The China comment is sourced to this interview, also in German.

Are you stunned? I am. Are you surprised? Frankly, I’m not; I’ve been waiting for this. Now let’s ask Apple if they’re doing the same thing. After all, Apple is an arm of the Pentagon too.


Your takeaways

This is blockbuster stuff, folks. The takeaways are simple:

This is real. Unless Die Zeit is wrong, this is the German government, who was party to the design meetings and negotiations, talking.

Do NOT buy a Windows 8 machine. The article says that Windows 7 will be good through 2020. One benefit of this action — Microsoft is a collaborator with Pentagon spying (because, folks, the NSA is the Pentagon), and it’s vulnerability is money. Windows 8 sales are in the tank. Kicking Windows 8 while it’s down sends a message to Microsoft and also to the Pentagon. (Yes folks, you too can “send a message.”)

Give this information to all of your friends. The enemy is Windows 8 and “Trusted Computing” hardware and software, as well as “Secure Boot” (see the article for that). Tell all of your friends that “Trusted” means the opposite of what it actually is — like “Clean Coal” or “Hope & Change.”

Tell them that “Trusted Computing” means “Don’t Trust This Computer”. Tell them that “Secure Boot” means “Insecure Boot”. Tell them that Microsoft works for the Pentagon, because it does. Repeat until you run out of people to tell.

If you already have Windows 8 with “Trusted Computing”, your system and everything it does is wide open to the NSA and potentially, to any Chinese manufacturers of the chip (see above). Consider buying something else, smaller perhaps and with Windows 7. If you can’t do that, just be careful. You never know when you’ll run afoul of an algorithm — like googling “pressure cooker” and “backpack” in the same day — that puts you (and your entire search history) on their active watch list.

Be glad. The spy-and-muscle arm of the state is really overreaching — has really overreached — and each of these revelations verifies the last revelation. This is a storm — some call it the Snowden effect — and it’s blowing in their faces, not yours.

Ask Apple if they’re doing the same thing? It’s the obvious next question, right?

The state is advertising its brutality; you can help them

Tim DeChristopher, Chelsea (formerly “Bradley”) Manning, Julian Assange, Ed (“We promise not to kill him“) Snowden — the punishment of these men is brutal, over the top, and intended to intimidate, to send a thuggish message.

Well, message sent; and worse for them, message sent to the world.

They’ve already lost Rachel Maddow, and in general, she’s not entirely unhappy with military doings. Their need to be brutal is our lever. Use it by waking people up. After all, you’re just telling the same truth they’re telling. Help make it “Message delivered.” It’s the least you could do (literally), and it’s easy.

More as it develops. When awareness of this Windows 8 backdoor hits widely in the U.S., it will hit big. More than half the country has an NSA (sorry, Microsoft) computer. Who will want Windows 8 if they know this?

UPDATE: I discussed Glenn Greenwald, Edward Snowden, The Guardian and the global security state at some length recently with radio host Arnie Arnesen. The MP3 file of that interview is at the link. Start listening at the 30-minute mark. Thanks.


To follow or send links: @Gaius_Publius

Gaius Publius is a professional writer living on the West Coast of the United States.

Share This Post

53 Responses to “German gov’t: Windows 8 contains possible backdoor for NSA, Chinese”

  1. goulo says:

    FWIW: in light of more recent revelations, it does now seem pretty established that Windows and its “Trusted Computing” technology probably has back doors.
    The NSA has been spending millions to introduce back doors and undocumented security weaknesses (e.g. weakened random number generators for cryptography) into software and hardware made by US companies (whether willingly or under duress).

  2. Thomas Marx says:

    Microsoft has enforced an interim injunction against DIE ZEIT and the BSI to change their warning message. The BSI statement now says:

    The BSI does neither warn the public, nor corporations nor the Federal Administration not to use Windows 8. The BSI presently however sees some critical aspects in certain scenarios of use, when Windows 8 is used in combination with certain hardware which is equiped with TPM 2.0. For certain groups of users TPM 2.0 even can mean an advantage in security. Those are users who for different reason do not care about the security of their systems, cannot care about it or do not wish to care about it, instead trusting the producer of the system to provide and maintain a solution for safety. This is one justified scenario of usage, producers however should provide some transparency about the limitations of the provided architecture and the consequences of its use.

    From the view of the BSI the use of Windows 8 with TPM 2.0 is connected to a loss of control over the operating system and the hardware.This means new risks for users, in particular the federal administration and critical infrastructure. Especially when using TPM 2.0 equipped hardware in combination with Windows 8 from unintentional mistakes by the hardware and software producers but also by the owners of the system, critical conditions can occur preventing the further use of the complete system. Besides the operating system this can lead to hardware being permanently non usable. Such a situation would be unacceptable both for the federal adminstration as for other users. In addition those new mechanisms can be used for acts of sabotage. Those risks have to be faced.

    The BSI regards the full control over information technology, requiring Opt-in or later Opt-out possibilites, as basic requirements for responsible use of hardware and operating systems. Those requirements were addressed in a paper published by the government of the Federal Republic of Germany concerning “Trusted Computing” and “Secure Boot”.

    In general all users must be enabled to use information technology self determinedly and on own responsibilty. This includes to use alternative software or operating systems on own decision.

    In order to achieve those goals in future together with Windows and with the providers of Trusted Platform, the BSI stays connected to the Trusted Platform Group and the producers of hardware and operating systems., in order to find feasible solutions for users and the Federal administration as well as critical infrastructure.

    End of translation, no guarantee for accuracy.

    Original at:;jsessionid=5F95A9EB2307BDADF689B6907EA4F378.2_cid359

  3. Windows 8 is worst ever OS from Microsoft , Or was it Vista?

  4. VolintheVille says:

    OK, trinu, this is a very good Comment thread. Some great info from you and others in this one. Mentally, I am done with Windows, the most recent version I have is Windows 7, the rest are XP Pro. Currently researching some different flavors of Linux to install. Also you had an excellent observation concerning smart phones, in an earlier Comment. I wondered about the TPM / smart phones. Also on the consortium of companies listed. I don’t see TI, I was under the impression TI also made smart phone chips.

  5. perljammer says:

    Perhaps you’re premature in climbing onto this particular paranoia bandwagon. I carry no torch for Windows, having been a satisfied Linux user for 16 years. But the original German newspaper article you cite appears to have gotten the story very wrong. ZENet reports that the German government has refuted the story in very strong terms.

  6. ComradeRutherford says:

    Yes, we do.

  7. Nathanael says:

    Windows is incredibly insecure even in version 7. Take the leap, go to Linux. With Linux, when security bugs are discovered, they are fixed. This is not true with Microsoft or Apple.

  8. Nathanael says:

    Windows 8, however, is a backdoor and does allow remote control. The TPM is used only so that people who install Windows 8 *cannot disable* the backdoor.

  9. Nathanael says:

    Everyone should use encryption just to annoy the NSA.

    Remember, they’ll get in if they want to target you personally, but if everyone is using encryption, it makes them work for their money.

  10. Nathanael says:

    Android can be run fairly securely. It requires significant skill, however. It’s not secure by default. The same is true of Apple’s products.

    Windows cannot be run securely under any circumstances.

  11. Nathanael says:

    This is correct. (Un)Trusted Computing was invented so that Microsoft could remotely wipe out your software if you didn’t pay them bribes. A bit like Amazon deleting books from people’s Kindles.

  12. Nathanael says:

    It is true that Windows has always been *deliberately* insecure. Microsoft invented the email virus (there is no such thing unless you’re running Microsoft Outlook) and the macro virus (there is no such thing unless you’re running Microsoft Office) and then implemented “automatically exposed to any script kiddie hacker by default” in Windows 98 (IIRC) as part of their propaganda campaign to convince regulators that a web browser was part of the operating system (which it isn’t).

    An unpatched Windows system connected to the Internet becomes a “zombie” (controlled by some remote hacker) within less than 60 seconds — there was a nice article about it, because a test was done by some security researchers.

    I stopped using Windows for anything but computer games, and then only when not plugged into the Internet, in roughly 2002. I stopped using it entirely a few years later.

    Unless you need specialized software which only runs on Windows, switch to Linux.

  13. Nathanael says:

    The chip *allows* for a backdoor to be *implemented*. It does not itself provide a backdoor (there would be some difficulties doing that entirely in hardware).

    Windows 8 implements the backdoor.

  14. BeccaM says:

    And even worse:

    National Security Agency officers on several occasions have channeled their agency’s enormous eavesdropping power to spy on love interests, U.S. officials said.

    This is why the repeated assurances they have “safeguards” to ensure these abilities to monitor anyone, anywhere, through any means of electronic communications used won’t be abused is utter bollocks.

    Of course they’ll be abused. We humans are easily corrupted, especially when we have power that is accountable to no one and when the use of it can be easily concealed.

  15. ComradeRutherford says:

    All Windows OS has always had backdoors for the Fed since the dawn of time. I’ve heard about this government backdoor in Windows for over a decade now.

  16. GaiusPublius says:

    Thanks, Roman, but I’m seeing the same commentary in a lot of places, including the tech sites. I don’t see links to a corrected explanation. For example:

    Can you offer links that rebut the claim? (Note, BTW, that the claim is based on a leaked document from German gov’t IT security. That document would have to be either false or faked for this to be radically wrong.)

    Thanks for the comment,


  17. Roman Berry says:

    Gaus Publius, I hope you follow up on (and correct) this article. TPM, even TPM 2.0, is not a “backdoor” into a machine. TPM 2,0 allows for code signing verification and can be used to restrict the software that a machine can run, but it offers no door into the machine, either locally or remotely, at all. And guess what? Google’s Chromebooks? TPM 2.0.

    Fact is most consumer class desktop machines (and not that many laptops either) don’t even have a TPM module. and for those that do, it’s primarily used for BitLocker driver encryption. As far as the keys…any IT admin worth their paycheck can generate brand new keys that are recorded nowhere save their own records.

    The article was wrong. Your comments on it follow suit.

  18. Roman Berry says:

    This new “revelation”…isn’t a revelation. As far as Win 8, don’t rely on what you’ve heard.* Try it for yourself. Better yet, wait until Win 8.1 in October, especially if you’re looking for a desktop OS.

    *Apple has fans. MS has critics.

  19. Roman Berry says:

    Straight to the point, the article is wrong. The TPM platform is not a “back door” and it most certainly does not allow “remote control.” Articles like this are what happens when people who don’t know what they’re talking about write articles about those very things.

  20. zorbear says:

    A friend used to say the same thing about his old Volvo until someone broke out his window and broke the latch on his glove compartment door. One: the door and the glove compartment were unlocked, and two: there was nothing in the glove compartment.

    Nothing is fool proof — there’s just too many of them…

  21. xihetafolex says:

    мy coυѕιɴ ιѕ мαĸιɴɢ $51/нoυr oɴlιɴe. υɴeмployed ғor α coυple oғ yeαrѕ αɴd prevιoυѕ yeαr ѕнe ɢoт α $1З619cнecĸ wιтн oɴlιɴe joв ғor α coυple oғ dαyѕ. ѕee мore αт…­ ­ViewMore——————————————&#46qr&#46net/kAgk

    If you can’t find one by shopping online, you can usually find a high school or college student in your area who’s willing to build you a custom desktop.

  22. Snaggletooth says:

    It’s worth mentioning that Windows Vista and Windows 7 are TPM compliant. It is unusual for desktops outside of a corporate environment to posses TPM chips, but not unheard of. Also worth mentioning is that they are not so uncommon in higher end laptops. TPM chips are used for Windows Bitlocker encryption. If your computer or laptop uses Bitlocker for encryption you have high odds of a TPM chip in your system.

  23. Vince in Cedar Rapids says:

    Agreed! A more stable operating system as well!

  24. Quasimofo says:

    Now there is no better time for switching to Linux!
    -Posted from a Mac running Linux. :-)

  25. nicho says:

    In the ’70s, my sister moved into an apartment next door to an old German woman. She had come to the US after the war. One day, she told my sister, “I don’t know what people say such terrible things about Hitler. He did such wonderful things for Germany.”

  26. Indigo says:

    True enough but they’ll have to break in through the patio gate first. It’d be a lot of trouble and not really worth the effort.

  27. Naja pallida says:

    While it seems that they’ve finally given up the pretense, Windows in all of its iterations has always been inherently insecure, in favor of ease of use. If you’re not deactivating a bunch of default services, running third party security software, along with a good firewall, there isn’t much the NSA couldn’t do to your internet-connected computer if they put their minds to it… plus, most traffic coming out of it is plain text and easily intercepted and deciphered. And I’m sure the NSA has the capability of decrypting all but the highest grades of commonly available software encryption. After all, decryption is specifically what they did before they decided that they should know everyone’s porn preferences.

  28. trinu says:

    If you can’t find one by shopping online, you can usually find a high school or college student in your area who’s willing to build you a custom desktop.

  29. samiinh says:

    Hmmm…sucks being me as I have two new computers running Windows 8, though I don’t use the Start Screen often but instead use that Desktop that looks like Windows 7. Oh well, I hope the NSA enjoys hot gay porn!!!!!!

  30. goulo says:

    I switched from Windows to Linux years ago and have not missed having Windows. The occasional inconvenience of some software being for Windows and not working on Linux is more than compensated by the better security, the openness, and the speed + stability.

  31. Bill_Perdue says:

    And some people still deny the existence of a police state?

  32. GaiusPublius says:

    Yes. Perfectly put.


  33. nicho says:

    Yeah, but if the door’s not latched, it’s not “breaking and entering.” Also, while locking things won’t stop someone who is determined, it will stop the “casual thief” who goes around looking for unlocked doors. They won’t smash in, but if the door is open, they’ll go in.

  34. nicho says:

    Android is so full of holes (and viruses and malware) that it’s ridiculous. The NSA doesn’t need anyone’s help. Android devices could be compromised by a middle schooler.

  35. nicho says:

    It gets worse:

    The National Security Agency paid millions of dollars to cover the costs of major internet companies involved in the Prism surveillance program after a court ruled that some of the agency’s activities were unconstitutional, according to top-secret material passed to the Guardian.

    The technology companies, which the NSA says includes Google, Yahoo, Microsoft and Facebook, incurred the costs to meet new certification demands in the wake of the ruling from the Foreign Intelligence Surveillance (Fisa) court.

    Your tax dollars at work.

  36. Indigo says:

    I’m aware of that but I’m not convinced there’s any reason to add a layer of encryption just so I can pretend my surfing is secure from first layer snooping. They’ll get in if they want in. I trust them to know how to do that. I also don’t latch my sliding-glass patio door because if somebody wants to break in, I’d just as soon not have to clean up the broken glass.

  37. Indigo says:

    Excuse me, but why does it take an article in a German newspaper to tell us what we already know?

  38. samiinh says:

    IOW, if you have a computer running Windows 8 you automatically have the Trusted Computing chip that allows your machine to be entered by a backdoor. (As you can see, I’m not a computer or IT expert and appreciate your input).

  39. GaiusPublius says:

    It’s all Win 8. There’s a part of Win 8 that looks like Win 7 (the Desktop) but that’s just the interface. Sorry…


  40. samiinh says:

    How do you tell if you have “Trusted Computing” in your Windows 8 computer. When using the Windows 7 part of Windows 8, are you still subject to spying?

  41. trinu says:

    Google makes lots of money using your private info for targeted advertising. My advice is to ditch the smart phone; trust me you’ll be surprised at how much you DON’T need it.

  42. Monoceros Forth says:

    Reading the article, I wonder how much of this “Trusted Computing” business is meant not so much for covert spying as for Microsoft’s intention to enforce a subscription model for the use of its software. It’s no secret that Microsoft and other software companies are hoping to compel users to pay for the use of their software on a continual basis, rather than simply paying for an application and using it freely after that. This I suspect is the chief reason MS wants to have remote control over your machine, so it can ruthlessly enforce its subscription model when the time comes.

  43. Outspoken1 says:

    Not trying to be snarky; serious question. What about Android (it’s on many cell phones and tablets)?

  44. Hue-Man says:

    Maybe I’ll stick with XP a while longer! If they’ve got all this information, why don’t they just go ahead and prepare my tax return for me and leave the finished .pdf file on my Desktop?!

    BTW, I don’t start listing until at least my 4th drink. :-)

  45. TheOriginalLiz says:

    Yes, news like this makes me love my linux even more…

  46. trinu says:

    Slightly OT: If you have either Firefox or Chrome, there’s another
    way you can show defiance to the NSA. has an extension
    called HTTPS-Everywhere. It encrypts much of your web surfing on sites
    that support encryption (note: americablog is not one of them). We know
    from Snowden’s documents that XKeyscore’s capabilities are limited by
    lack of sufficient storage – the Utah facility is still under
    construction – and that they seem to assume merely using encryption as
    suspicious. I hope I’m not out of line, but I am asking for an act of
    pseudo-civil disobedience.

  47. jomicur says:

    I bought a new computer a couple of months ago, and I made a concerted effort to find a Windows 7 machine that met my needs. My primary concern was all the negative stuff I’d heard about Windows 8; no one I know who has it, likes it. But this new revelation makes me doubly happy with my decision. (Not that I trust Microsoft even for Windows 7 to be secure, but I guess hope springs eternal.)

    There are still Windows 7 machines on the market, though it can take a bit of ferreting to find them I’d say it’s worth the effort.

  48. Monoceros Forth says:

    I wouldn’t call myself a Windows “fanboy”, though I do use Windows 7 regularly and with reasonable contentment. As long as Windows is pushing the “Metro” interface, though, I’m disinclined to use Windows 8 any time soon.

  49. BeccaM says:

    Oh, I’m plenty geeky enough to make it work. I’ve been building my own computers since the early 80s.

  50. trinu says:

    True, a trusted chip can probably circumvented with a mod chip. And there’s always Linux (windows 7 appears to be safe too … for now). If you want to switch over Linux, I’m sure a lot people know someone geeky enough to be able help them.

  51. trinu says:

    Well in their defense, I wouldn’t be surprised if Apple had something similar. If there’s a hardware backdoor, that’s gonna hard to get rid of, even if you install a different OS. All I can say is try to buy a computer without either this “trusted” chip or Windows 8. If necessary ask a teenage tech geek for help.

  52. BeccaM says:

    What’s built in can usually be circumvented. Hackers and software programmers are a clever bunch.

    I’d say there’s a bunch of money to be made for someone who can come up with a means of blocking or disabling the TPM…

    Short of that, well, I guess it may be time for me once again to look into Wine/Linux as an alternative. The reason being, that if the Security State is going to this much trouble to put their crowbars into current commercial operating systems, I rather doubt they’ll leave Win7 alone for the rest of the decade either.

  53. nicho says:

    Redmond fanboys trolling in 5…4…3….

© 2021 AMERICAblog Media, LLC. All rights reserved. · Entries RSS