“Security expert” Matthew Garrett blows up Windows by enabling the Microsoft 3rd Party UEFI CA certificate, then says the Bitlocker Backdoor (for police) saved his data from the TPM.

“Security expert” Matthew Garrett blew up Windows on the laptop he’s been complaining about all week by enabling the Microsoft 3rd Party UEFI CA certificate, then says the Bitlocker Backdoor (for police) saved his data from the TPM.

My God, this guy couldn’t get better with a bag of chips.

I don’t even have to make much effort to blog about Matthew Garrett FAILs. All I have to do is screenshot the Nitter instance I use.

(Which I use because I don’t want Twitter’s JavaScripts or to sign in to read things. Twitter is a malicious time sink that spies on people. Some people have even been doxxed and profiled for “risk mitigation” by contractors hired by their employer. Something that is impossible if you don’t have an account.)

Essentially, what Garrett is saying is that when you enable Microsoft’s 3rd Party UEFI CA certificate, which is what the “shim” that enables “Security Theater Boot” to work on GNU/Linux, is signed with, that the TPM will refuse to decrypt your Bitlocker volumes. Not that this could be any sort of an inconvenience. Right?

The TPM freaking out is a problem I ran into when I applied an official Lenovo UEFI update for March of 2021 on my ThinkBook 15 ITL Gen2.

There was no warning that this was even possibly going to happen, just like it seems there was no warning on Garrett’s laptop that enabling that certificate would destroy Windows and cause data loss due to the TPM and Bitlocker.

Windows 10 Professional comes with Bitlocker enabled by default. In my case, I told it to delete my recovery key because I didn’t want Microsoft to have a copy to hand to the police if they came looking for whatever reason (I don’t know why they would.), and then I generated a new recovery key, and forgot to write it down before I applied Lenovo’s UEFI update, which tripped the TPM, and caused it to refuse to decrypt my files and ask me for a recovery key I didn’t have.

Not that I think it would help, because I also couldn’t make the keyboard work to type anything anyway.

I ended up losing all files that weren’t backed up, which thankfully wasn’t many, and using my 2016 laptop to make a GNU/Linux live installer and wipe Windows off the disk permanently. That turned out to be the kick I needed to get me to stop playing around with shit-ass Windows again.

Since “Secure Boot” is worthless, you should just turn it off permanently and then wipe Windows from the disk.

Of course, back to Bitlocker…. If Microsoft has your decryption key, they can be compelled to give it to the police, which makes it a backdoor that they admit to having. There very well can be others that they don’t admit to having.

But if you use Windows at all, the Telemetry, Windows Defender, and Smartscreen are telling them all of the stuff on your computer anyway, and all of your keystrokes. So if you have anything you’re not supposed to have, they can tell law enforcement, and then get themselves compelled to hand over your decryption recovery key if it is in your Microsoft account. Due to being the default, it almost certainly is.

Then you may be in court with your life ruined spending your last pennies on a lawyer in some last ditch effort to stay out of prison.