Hacker News new | ask | show | jobs
by calebh 586 days ago
What about using TPM modules? I've been researching these modules lately, primarily for use in online video games. From my understanding, you can use TPMs to effectively ban players (TPM ban) based on their hardware. This would mean every time an account is banned, the bad actor would have to switch to a different TPM. Since a TPM costs real money, this places a limit on the scalability of a bad actor.
3 comments
DrillShopper 586 days ago
Cool, if you can require them for every possible interaction on a platform but even that violates privacy if you have one universal value that ties it all together (the identifier of the specific TPM).

It's just the phone number/email issue but tied to hardware. If you think these things won't leak and allow bad actors to tie your accounts across services then I have some lovely real estate in Florida you may be interested in.

It also appears that resetting a fTPM works around this since it fully resets the TPM. Even if it didn't then people buying used CPUs could find that they're banned from games that they've never even played or installed on their system before

link
nicce 586 days ago
> It also appears that resetting a fTPM works around this since it fully resets the TPM. Even if it didn't then people buying used CPUs could find that they're banned from games that they've never even played or installed on their system before

It depends how the TPM utilization was applied in practice. The initial manufacturer key (Endorsement Key) is hardcoded and unextractable. All the long-lived keys are derived from it, and can be verified by using the public part of the EK. Usually EK (or cert created from it) is directly used for remote attestation.

More here, for example : https://learn.microsoft.com/en-us/windows-server/identity/ad...

link
nicce 586 days ago
> What about using TPM modules? I've been researching these modules lately, primarily for use in online video games. From my understanding, you can use TPMs to effectively ban players (TPM ban) based on their hardware. This would mean every time an account is banned, the bad actor would have to switch to a different TPM. Since a TPM costs real money, this places a limit on the scalability of a bad actor.

It is even worse for privacy than phone number. You can never change it and you can be linked between different services, soon automatically if Google goes forward with the plans.

link
ranger_danger 579 days ago
TPM can be emulated in software, QEMU already supports this for running Windows 11.
link