Security Expert Talks Windows 11, TPM, VBS & Much More - The Full Nerd Special Edition
video description
Date: 2022-03-15
Related videos
Comments and reviews: 10
Bert
- Sandy Bridge: I'm the proud owner of a i5-2520M in a Dec 2011 HP Elitebook.
- Old PCs: I still use a 32-bit Pentium 4 HT (2003) with 4 HDDs (2 IDE & 2 SATA) as backup-server running FreeBSD 13. 0 on OpenZFS 2. 0: )
- Win 11: I live in the Dominican Republic and our biggest PC shop specializes in US off-lease PCs. Microsoft must be hating the s--thole countries: (
- Firewall: I have 3 levels of firewalls, the ISP wifi router; my TP-Link wifi router; each PC and each Virtual Machine. All are closed for inbound traffic, except one VM. My TP-Link router can only be administrated from my laptop or desktop Ethernet Mac Addresses.
- TPM 2. 0: What is the difference between the 14nm Ryzen 3 2200G and the 12nm Ryzen 3 3200G, both have UEFI and fTPM 2. 0. Probably the 3200G has the FBI/NSA promoted NSA backdoor for TPM 2. 0 After the 1st gen Ryzen showed to be popular also by criminals, activists and foreign governments, the NSA agreed with AMD to add that backdoor in newer Ryzen CPUs. For many many years US companies assisted FBI/NSA with backdoors as indicated by Snowden and Linus Thorvald and as proven by the hack of the German chancellor Angela Merkel.
- VBS: In 2018 I started moving my work to 5 VMs for; browsing & communication; banking (encrypted); multimedia; try-outs; Windows. The Host runs a minimal install of Ubuntu 21. 04 on OpenZFS 2. 0. I take a snapshot each week and if needed after a hack I roll back to a snapshot of N weeks ago and rerun the updates: ) I also kept the previous release of that VM, so I could directly reuse Ubuntu 18. 04, if I need time to reinstall and set-up 20. 04 again: ) My data is stored on the host and shared by the VMs on a need to know base.
reply
- Sandy Bridge: I'm the proud owner of a i5-2520M in a Dec 2011 HP Elitebook.
- Old PCs: I still use a 32-bit Pentium 4 HT (2003) with 4 HDDs (2 IDE & 2 SATA) as backup-server running FreeBSD 13. 0 on OpenZFS 2. 0: )
- Win 11: I live in the Dominican Republic and our biggest PC shop specializes in US off-lease PCs. Microsoft must be hating the s--thole countries: (
- Firewall: I have 3 levels of firewalls, the ISP wifi router; my TP-Link wifi router; each PC and each Virtual Machine. All are closed for inbound traffic, except one VM. My TP-Link router can only be administrated from my laptop or desktop Ethernet Mac Addresses.
- TPM 2. 0: What is the difference between the 14nm Ryzen 3 2200G and the 12nm Ryzen 3 3200G, both have UEFI and fTPM 2. 0. Probably the 3200G has the FBI/NSA promoted NSA backdoor for TPM 2. 0 After the 1st gen Ryzen showed to be popular also by criminals, activists and foreign governments, the NSA agreed with AMD to add that backdoor in newer Ryzen CPUs. For many many years US companies assisted FBI/NSA with backdoors as indicated by Snowden and Linus Thorvald and as proven by the hack of the German chancellor Angela Merkel.
- VBS: In 2018 I started moving my work to 5 VMs for; browsing & communication; banking (encrypted); multimedia; try-outs; Windows. The Host runs a minimal install of Ubuntu 21. 04 on OpenZFS 2. 0. I take a snapshot each week and if needed after a hack I roll back to a snapshot of N weeks ago and rerun the updates: ) I also kept the previous release of that VM, so I could directly reuse Ubuntu 18. 04, if I need time to reinstall and set-up 20. 04 again: ) My data is stored on the host and shared by the VMs on a need to know base.
reply
Joshua
I think they are underselling TPM because of AIK. that's a real security feature that can change scenarios from password-only authentication to something more like two-factor, and it's a lot more secure than an SMS message or email code. Similar security to using TOPT except the TPM can also attest (with PCR and SecureBoot) the machine has not been compromised in certain fundamental ways like a rootkit, and even elevated processes would struggle with VBS (Credential Guard) which can be configured to require physical interaction to disable. (Meaning you have to reboot the computer, a special UEFI loader screen comes up and you have to physically press F3 in a UEFI to disable it. Which is guaranteed to be secure with SecureBoot)
Worth pointing out that a lot of these features do exist for Windows 10 but only Enterprise (and Education) editions. Windows 11 opens most of them up for all editions. I don't think it's a worthless idea to draw a line in the sand for marketing reasons, so if you have -Windows 11 device- you are guaranteed to support new security stuff. You don't need Windows 11. Windows 10 is fully supported for another 4 years.
reply
I think they are underselling TPM because of AIK. that's a real security feature that can change scenarios from password-only authentication to something more like two-factor, and it's a lot more secure than an SMS message or email code. Similar security to using TOPT except the TPM can also attest (with PCR and SecureBoot) the machine has not been compromised in certain fundamental ways like a rootkit, and even elevated processes would struggle with VBS (Credential Guard) which can be configured to require physical interaction to disable. (Meaning you have to reboot the computer, a special UEFI loader screen comes up and you have to physically press F3 in a UEFI to disable it. Which is guaranteed to be secure with SecureBoot)
Worth pointing out that a lot of these features do exist for Windows 10 but only Enterprise (and Education) editions. Windows 11 opens most of them up for all editions. I don't think it's a worthless idea to draw a line in the sand for marketing reasons, so if you have -Windows 11 device- you are guaranteed to support new security stuff. You don't need Windows 11. Windows 10 is fully supported for another 4 years.
reply
munchy
i lasted 2 hours on a yoga 9i with windows 11. i like it but unfortunatly widgets are none existant. i need widgets to replace my live tiles. a shortcut for netflix doesnt cut it anymore. unfortunatly the only entertainment widget you get is actually a news feed advertising disney and renting ready player one on the microsft store. abd a calender and to do widget. you have a bing search bar even if you dont use bing and news that cant be toggled off well ive yet to find out how. truth is for a 2 in 1 why wouldnt you not have the top ten or even top 3 streaming services make widgets on launch. that i dont get and after windows mobile suport and things like edge not eting me open new tabs to my choice of home page im not likely to try windows 11 for a good couple of years and if microsft do what microsft do which is push bing on me and make it hard or jump through hoops to stop some things like default apps cant have opera for example then itll be android or appke or linux. this is the first os i have not liked to a extent i cant use and i liked them all but enough is enough.
reply
i lasted 2 hours on a yoga 9i with windows 11. i like it but unfortunatly widgets are none existant. i need widgets to replace my live tiles. a shortcut for netflix doesnt cut it anymore. unfortunatly the only entertainment widget you get is actually a news feed advertising disney and renting ready player one on the microsft store. abd a calender and to do widget. you have a bing search bar even if you dont use bing and news that cant be toggled off well ive yet to find out how. truth is for a 2 in 1 why wouldnt you not have the top ten or even top 3 streaming services make widgets on launch. that i dont get and after windows mobile suport and things like edge not eting me open new tabs to my choice of home page im not likely to try windows 11 for a good couple of years and if microsft do what microsft do which is push bing on me and make it hard or jump through hoops to stop some things like default apps cant have opera for example then itll be android or appke or linux. this is the first os i have not liked to a extent i cant use and i liked them all but enough is enough.
reply
Declineto
This guy's failure to mention armored kereberos which Microsoft believes will block pass the hash attacks on active directory networks and depends on TPM 2. 0 lowers my opinion of him. It only has a hope of working if all computers on an active directory network are using it which, I suspect, is the real reason microsoft decided to have the tpm requirement.
For those who don't know pass the hash attacks consist of infecting some non-priveledged user's computer with a virus that causes nuisances for the user to bait an IT person into accessing that computer. From there a tool called mimikatz is used to exploit flaws in microsoft's authentication protocols to effectively get admin credentials that can be used to install ransomware on every computer on the network.
reply
This guy's failure to mention armored kereberos which Microsoft believes will block pass the hash attacks on active directory networks and depends on TPM 2. 0 lowers my opinion of him. It only has a hope of working if all computers on an active directory network are using it which, I suspect, is the real reason microsoft decided to have the tpm requirement.
For those who don't know pass the hash attacks consist of infecting some non-priveledged user's computer with a virus that causes nuisances for the user to bait an IT person into accessing that computer. From there a tool called mimikatz is used to exploit flaws in microsoft's authentication protocols to effectively get admin credentials that can be used to install ransomware on every computer on the network.
reply
Nocturnal101
VBS to me is only great for Competitive games that don't have flashy visuals and run on potato systems, where hacking runs rampant it can prevent it at least for a while till they find ways around it, but for regular gaming there is absolutely no real need to enable VBS or even use it as the cost of use isn't ethical.
To me the upgrade to Win 11 is a downgrade in functionality and usability, If I want IOS Ill buy an Apple device, I don't because I am not a moron that enjoys sheep and walled gardens.
It just not ready for prime time.
reply
VBS to me is only great for Competitive games that don't have flashy visuals and run on potato systems, where hacking runs rampant it can prevent it at least for a while till they find ways around it, but for regular gaming there is absolutely no real need to enable VBS or even use it as the cost of use isn't ethical.
To me the upgrade to Win 11 is a downgrade in functionality and usability, If I want IOS Ill buy an Apple device, I don't because I am not a moron that enjoys sheep and walled gardens.
It just not ready for prime time.
reply
Juan
I think one problem with educating people is that many people think of technology as a hobby or personality type. They say stuff like, -I'm just not into computers. - But I think that's just wrong. That's like a dangerous driver saying, I'm not into cars. That doesn't matter. If you're going to use a car you have to respect others and be careful. Same with technology.
reply
I think one problem with educating people is that many people think of technology as a hobby or personality type. They say stuff like, -I'm just not into computers. - But I think that's just wrong. That's like a dangerous driver saying, I'm not into cars. That doesn't matter. If you're going to use a car you have to respect others and be careful. Same with technology.
reply
Ni
As an example of what -regular- users do: I once worked with a person whose desktop broke somehow. They threw away the computer and monitor, without first checking if the monitor still worked. It wasn't a cheap monitor. (By the time they told me about it they had already thrown away the computer, so there was nothing I could do. Thanks for the interview.
reply
As an example of what -regular- users do: I once worked with a person whose desktop broke somehow. They threw away the computer and monitor, without first checking if the monitor still worked. It wasn't a cheap monitor. (By the time they told me about it they had already thrown away the computer, so there was nothing I could do. Thanks for the interview.
reply
RobBCactive
The V word Microsloth OS was the first I had any confidence in, coming from UNIX & Linux background XP was just totally unprofessional and like a toy.
The biggest problem with Windows is the large segment of the user base who decide to ignore updates.
But I am sticking with W10 till next year, W10 21H2 is my upgrade.
reply
The V word Microsloth OS was the first I had any confidence in, coming from UNIX & Linux background XP was just totally unprofessional and like a toy.
The biggest problem with Windows is the large segment of the user base who decide to ignore updates.
But I am sticking with W10 till next year, W10 21H2 is my upgrade.
reply
Main
they should make it default setting but optional. As ppl upgrade to newer hardware naturally over the next 4-5 years, they will move to windows 11 and not even thinking about tpm and cpu requirement. My 5 year old machine, doesn't meet the min system requirement of windows 11
reply
they should make it default setting but optional. As ppl upgrade to newer hardware naturally over the next 4-5 years, they will move to windows 11 and not even thinking about tpm and cpu requirement. My 5 year old machine, doesn't meet the min system requirement of windows 11
reply
Sporty
Guys are talking about security and companies selling user data in a podcast sponsored by Avast? Lol. That is so ironic. Avast actualy steals user data and sells them using a shady chain of companies.
reply
Guys are talking about security and companies selling user data in a podcast sponsored by Avast? Lol. That is so ironic. Avast actualy steals user data and sells them using a shady chain of companies.
reply
Add a review, comment
Other channel videos
1:33:12
1:50:27
