Even without naming the companies involved, it's very hard to imagine they are inserting backdoors in less-valued products while somehow missing the crown jewels of Windows and TPM.
I keep finding myself in the awkward position of trying to refute conspiracy theories, but not being at liberty to share everything I know about these scenarios (I really need to work somewhere besides DC), so I'll tread lightly.
Taking for granted that the NSA actually backdoored TPM's (which I can assert professionally is very unlikely, but I don't expect anyone to take my word for it), they are far from "crown jewels".
The only "meaningful" large scale use of TPMs is actually within the department of defense. It's been a pretty uphill battle getting them deployed and used in other environments.
You realize that these are exactly the same arguments that were brought up to argue against the details revealed in these documents, so perhaps appeals to authority and use of the words 'conspiracy theories' may be taken with a few more grains of salt. NSA backdoors have been alleged for decades now, and the response is always that they're a 'conspiracy theory'.
TPM 2.0 is a crown jewel for the NSA. Windows 8 full-disk encryption is based on TPM, and Windows 8.1 certification requires a TPM 2.0 module. It already is or soon will be universal in PC hardware. The NSA was involved its creation, and resisted changes to the standard. At the same time the German government was claiming there were no backdoors in Windows or TPM, privately they had already concluded it was compromised.
Yeah, I have to agree. The wide distribution of Windows makes it an important thing to have access to. In fact, I would go so far as to say that every commercial WDE is suspect.
"I keep finding myself in the awkward position of trying to refute conspiracy theories, but not being at liberty to share everything I know about these scenarios"
There are things I want to say about that sort of thinking, but I am afraid to say them. What a wonderful world...
Disagree. Over the medium term, TPMs (which message board geeks have been unhelpfully demonizing for years) are part of a system of technologies that could make laptop encryption much harder to break. Laptop encryption is a real operational challenge for both HUMINT and law enforcement.
That's true, but I've spent a good portion of the last year and half dealing with them and disagree on the likelihood of them ever achieving any widespread adoption. My company would love for me to be wrong about this.
No, but now we cannot just assume that cryptosystems are being developed in good faith or that mistakes are not actually covert sabotage. We need to check these systems before we put our trust in them.
But why would you ever have assumed this? I mean, I don't really care whether something was a mistake in good faith or covert sabotage; the useful question is whether something is secure or not as far as I can tell. Assessing the motivations is a complete waste of my time as an individual.
It does matter if the NSA is actively sabotaging our cryptosystems. If people are making mistakes we can solve the problem as a community by improving the techniques we use to develop, document, and test cryptosystems. If we are dealing with people who are deliberately weakening our cryptosystems, it will be harder to push better techniques because our adversary will push back against them, or sabotage the techniques themselves.
In my view this was true anyway, since any mistake could be the result of foolishness or malice - if not on the part of the NSA, on that of the Russian, Chinese, British, Israeli, (etc.) security services. Crypto is an arms race between people with conflicting interests, and always has been; I don't mean to be rude, but I think your former view of the way things operated was a bit naive.
