Friday Squid Blogging: International Squid Awareness Day
It’s International Cephalopod Awareness Days this week, and Tuesday was Squid Day.
I can’t believe I missed it.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
Jacob • October 13, 2017 4:34 PM
Infineon’s TPM (v.1.2, V.2) has been producing weak RSA keys, regardless of OS, for many years.
Requires fairly complex and lengthy fix, consisting of firmware/software updates (FW update at the mercy of machine OEM), possibly with zeroing out TPM’s registers thus requiring extensive backups/boot recovery options before fix implementation.
Get ready to lose PK certificates and encryprion keys. Also, you must review of all past-generated keys if still in use.
This bodes ill on assurance procedures for a critical trust anchor. The TPM chip, implementing various anti-hacking methods, protected against EM and PWR side-channel attacks, undergone extensive code reviews and received EAL 4 assurance certificate, shows that one can still not trust the custodians.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012
https://sites.google.com/a/chromium.org/dev/chromium-os/tpm_firmware_update