Video Screencast Help

Why does PGP hate TPM and its customers??

Created: 28 Sep 2012 • Updated: 01 Oct 2012 | 6 comments

Got news for all of us PGP customers: Because Symantec is too lazy and sucks to much to do the job we pay them to, they will be discontinuing what little TPM features they have. : http://www.symantec.com/business/support/index?page=content&id=TECH196789&actp=search&viewlocale=en_US&searchid=1348761093295

 

See the note in the grey box towards the bottom? The feature to encrypt to a TPM has been discontinued and will not be further developed. The option to encrypt to a TPM will be removed in one of the future releases.

 

What a bunch of lazy jerks!!! I just renewed PGP and got the newest update and purchsed tech support (which I am pissed that I even had to pay for). The dude on the phone, a nice kid who called me from Poland of all places (beats India, eh?), told me that

we are going to move away from TPM and advise to use Single Sign On instead. One the possible risks with TPM is that in case of a disk failure, when normally you would slave the drive to another PGP Desktop system to decrypt or recover the drive, you would not be able to do that when using TPM.

My response is, yeah, that's the whole god damn point for using TPM to begin with!!!! A password only provides one level of protection. TPM provides an additional level. I pay extra to have a TPM on my computer and I know the risks in using it. Thus, I want the additional protection it offers.

Why can Microsoft's Bit Locker work with TPM on EVERY SINGLE COMPUTER under the sun when PGP cannot? Plus, Bit Locker is free!!!!!! It comes with my Win7 Ultimate!!!!!

I have made repeated complaints before on this forum about the failure of PGP to work with TPM (https://www-secure.symantec.com/connect/forums/pgp-tpm-essential-security   AND  https://www-secure.symantec.com/connect/forums/wde-wont-work-my-tpm ). After getting the run around here from supposed 'experts', I now know the reason why. PGP's TPM would only work on computers running WinXP. Even if your machine was on their hardware list, if it wasn't running WinXP, you'd get no TPM. No way, Jose. No soup for you!

Because the TPM uses its own internal firmware and logic circuits for processing instructions, it does not rely upon the operating system and is not exposed to external software vulnerabilities. Thus, TPM provides you with more security then you would have with just PGP by itself.

Riddle me this, Batman: Since Bit Locker is FIPS 140-2 compliant, since it will work with TPM on ANY computer that you have that runs Win7, and since Bit Locker is FREE, why should I buy PGP? Why should any of us buy PGP? Why am I spending $150 per machine in my organization that has around 200 plus computers to get a product that does not fully work??????????????????

Why, why, why, why??????

And why can't PGP be made to work with TPM in Win7 and not only just with WinXP??

 

 

Any of you guys have any answers or care to weight in? I am certain that since this post is an angry post directed at PGP the admins will probably delete it since they don't want any bad PR. But hopefully someone will answer.

 

 

Comments 6 CommentsJump to latest comment

PGP_Ben's picture

Hi, I hope that this isn't seen as adding more fuel to the fire. But i'm simply providing another point of view. From a security standpoint TPM is not secure. It has been hacked. We do provide token authentication using an USB token or smartcard. Which does provide you an extra level of authentication and security.  TPM has been "broken" since 2007. See this article here:

http://rdist.root.org/2007/07/16/tpm-hardware-atta...

 

Another reason why I don't trust bitlocker myself

http://www.scribd.com/doc/24934858/Attacking-the-B...

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.

Heywood's picture

Yeah, I heard that, too.  But that "attack" involved using acid with specialized equipment, intimate knowledge of semiconductor design, and advanced skills.

I think I would notice if my desktop computer had its guts taken out when I walked into work the next morning.  And his attack was on Infineon chips only.

 

And according to Microsoft, they have already addressed this issue.  http://windowsteamblog.com/windows/b/windowssecurity/archive/2010/02/10/black-hat-tpm-hack-and-bitlocker.aspx

 In any event, the TPM hack is very difficult to use, according to the article.  It may not be perfectly secure, but it is secure enough.  I would not rely upon it solely.  But that is why one has a layered approach to security and not relying on just one thing.

In any event, it does not explain why PGP won't work with TPM - and why their are stopping support for TPM - when everyone else does work and does support it.

Why are they stopping, Ben?

And why can't they work with Win7?

 

Heywood's picture

By the way, i do not have a smart card or a USB token.  How can I get my own personally made smart card?  And / or how can I get a USB token (is it a special kind or just a regular token)?  And what stops someone who finds the token or smart card from just sticking it in the machine and making it run?

But see if you can tell me why PGP won't make itself work with Win7 TPMs.

 

Eileen's picture

I understand that you are frustrated with the issues around TPM support, however I would ask that when making comments on Symantec Connect that they be as constructive as possible and of a civil nature. 

I have put in a request to the product team to reach out to see if they can be of help in this situation.

~Eileen, Security Community Manager

Heywood's picture

How much do you think it costs to buy PGP for 200+ company computers???  And how would you feel only to discovery that while PGP has been concealing the fact that no matter what it will not work with a TPM on a Win7 computer even if you use the computer that is on the PGP hardware list?  And then you find out that PGP has no intentions to make it work with Win7?

Oh, and did I ask you how much you thought it costs to by PGP for 200+ computers?

Eileen's picture

Let's get you in touch with the product team so that you can have that conversation.

~Eileen