Once upon a time I spent a couple of hours looking at the Dell update utility and found that it pretty much allowed remote code execution to any web page your browser visits[1][2]. The quality of their code, the clear lack of anyone with any security knowledge looking at it and the 'fix' they deployed[3] made me never ever trust Dell again.
Seriously, their entire security relied on 'if url.endswith('dell.com')', plus a bunch of home grown 'encryption' that was utterly ridiculous. I'm sure if anyone spent a good hour or so looking at some of the oodles of software they pre-install on laptops you can dig up some other juicy exploits.
Is this a hardware or a software boycott? Because I have trouble finding anything remotely decent when it comes to macbookpro alternatives. Then again, I just sorta assumed most people always did clean installs and wiped the pre-installed shit that every PC vendor bundles.
What really bugs me about this whole certificate saga is this: Ok, so you messed up. But then we get this - to my ears - absolutely bogus spiel about this being for 'improved customer service'. I find it very hard to make that link. And then, to add insult to injury, after messing up like that there is no 'all hands' inside Dell to see if that 'mistake' (let's assume it really is a mistake, to be kind to them) had been made in more than one place, which in fact it is.
Once is normal, twice may be coincidence, thrice is enemy action. Let's hope for Dell that there won't be a third, and if there is that they spot it themselves before someone else does. And I'm not buying the line about 'improved customer service' even for a moment, you can't improve customer service by allowing anybody aware of this certificate to MITM any and all connections from these machines and even if that were the case it is just a little bit too convenient that such a mistake would also include the private key, which allows Dell to conveniently deny that they ever leaked the private key to anybody in particular (instead, they leaked it to the world at large).
Superfish was bad, this is in some ways just as bad or worse.
Now, Dell, can we please have a detailed technical explanation about why these two root certificates and their private keys were stashed on customers machines without their knowledge centering on specific functionality (as in what is that you could not do without these certificates and keys distributed) rather than some weasel worded techno babble about 'improved support'?
Does anyone know of a tool for Windows and OSX that will audit all the certificates installed on a machine and tell you which ones are removed, compromised, or generally unrecognized? It would be great if there was one so I can run audits because even if you install a fresh copy of the OS, the NSA and their friends can eventually sneak a cert on there. It would be great if there were an audit tool.
A part of me wants to go "Un-freaking-believable!"
The other part is like, "You really did not see this coming?"
The worst part is that this was probably done for ridiculous reasons. If they had put the certificate on their systems to allow the NSA to spy on their customers (just as hypothetical example), planting such a certificate would probably be a reasonable approach. But in the case of Lenovo and Superfish, this was done to show f___ing advertisements to users, and I am certain in Dell's case their reason is not much better. And for that, they put their customers security at risk. For freaking advertisements and (Dell's claim, I think) making life slightly easier for their support staff.
Am I reading it correctly that they also included the private keys? Why are the private keys for the cert installed with the cert? That doesn't make any sense.
Is this just incompetence, or is there some other reason that I'm failing to understand?
It reminds me of the various usability studies of PGP where new users, tasked to exchange keys with a correspondent, in a large percentage of cases emailed the private key to the recipient. It's awfully easy to do.
Exactly how Dell managed to distribute both private and public keys to this certificate is a wonder.
It might make sense if a unique private key was generated each time the application was downloaded.
For example, a user wishing to use the Azure web services either supplies their own cert/public key to Azure, OR requests Azure to generate a unique cert/key, and supplies the private key to you. Now, obviously, someone using Azure APIs doesn't install this key into your root store.
And that's the second "WTF?" - why install this as a Trusted Root cert, when your application could just hold it locally, and reference it?
(The first WTF being distributing a common private key - rendering the point of encryption useless.)
Maybe it's a good time to share this - I just bought a brand-new Dell XPS 15 and it runs Ubuntu like a dream. The only problem I've had is that suspend/resume (i.e. closing the lid) causes a kernel panic, but I've heard that's fixed in the next kernel release.
Regarding the suspend/resume stuff, which version of Ubuntu are you running? I don't have a problem, but I had to do a couple of things to get it working more like a Macbook: http://karlgrz.com/dell-xps-15-ubuntu-tweaks/
I am convinced that the only thing that approaches the designed security level of an operating system is to buy a machine, completely wipe it and install your own paid for copy.
It appears that hardware vendors cannot make enough money merely selling hardware, and so they sell access, data and advertising to third parties (at least Superfish was in that area).
Being able to mod the software on your car is (I think) recently allowed (by the Librarian of Congress?). But it can be taken away at any revisiting event. I can see the day coming when it will be illegal to wipe a machine, because circumventing.
This isn't an inherently bad idea – it works to provide critical drivers which you might need to get online, for example – but it really underscores how much depends on the OEM being more diligent than they've been in the past.
For what it's worth, Apple machines come secure out of the box, without any of this BS. They even prompt you to set up full disk encryption, and because it's well designed, almost anyone can figure it out.
> I am convinced that the only thing that approaches the designed security level of an operating system is to buy a machine, completely wipe it and install your own paid for copy.
Of something other than Windows, since Windows will automatically run binaries provided by the firmware in the "Windows Platform Binary Table", which hardware vendors now use to reinstall their malware into a fresh Windows install.
(Of course, if you don't trust the firmware, it can do any number of other terrible things to you as well. And firmware from major hardware vendors has messed with Windows partitions to reinstall malware even without the WPBT.)
> Nevertheless, because both eDellRoot and DSDTestProvider are installed in the Windows root store for certificate authorities together with their private keys, they can be used by attackers to generate rogue certificates for any website that would be accepted on the affected Dell systems.
It's not the certificate that's the problem. It's the installation of the private keys along with the certificate.
[+] [-] orf|10 years ago|reply
Seriously, their entire security relied on 'if url.endswith('dell.com')', plus a bunch of home grown 'encryption' that was utterly ridiculous. I'm sure if anyone spent a good hour or so looking at some of the oodles of software they pre-install on laptops you can dig up some other juicy exploits.
1. http://webcache.googleusercontent.com/search?q=cache:http://... (sites down at the moment :/)
2. http://www.theregister.co.uk/2015/04/08/dell_update_security...
3. They literally just updated their home grown encryption/authentication code and made it clear that they didn't understand the issue at all.
[+] [-] meritt|10 years ago|reply
[+] [-] skykooler|10 years ago|reply
[+] [-] jacquesm|10 years ago|reply
Once is normal, twice may be coincidence, thrice is enemy action. Let's hope for Dell that there won't be a third, and if there is that they spot it themselves before someone else does. And I'm not buying the line about 'improved customer service' even for a moment, you can't improve customer service by allowing anybody aware of this certificate to MITM any and all connections from these machines and even if that were the case it is just a little bit too convenient that such a mistake would also include the private key, which allows Dell to conveniently deny that they ever leaked the private key to anybody in particular (instead, they leaked it to the world at large).
Superfish was bad, this is in some ways just as bad or worse.
Now, Dell, can we please have a detailed technical explanation about why these two root certificates and their private keys were stashed on customers machines without their knowledge centering on specific functionality (as in what is that you could not do without these certificates and keys distributed) rather than some weasel worded techno babble about 'improved support'?
[+] [-] api|10 years ago|reply
[+] [-] hannob|10 years ago|reply
Also updated my corresponding blog post (links to cert and key there in case you're interested): https://blog.hboeck.de/archives/876-Superfish-2.0-Dangerous-...
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] electic|10 years ago|reply
[+] [-] mtgx|10 years ago|reply
http://www.theregister.co.uk/2015/11/25/dell_backdoor_part_t...
[+] [-] jacquesm|10 years ago|reply
[+] [-] krylon|10 years ago|reply
The other part is like, "You really did not see this coming?"
The worst part is that this was probably done for ridiculous reasons. If they had put the certificate on their systems to allow the NSA to spy on their customers (just as hypothetical example), planting such a certificate would probably be a reasonable approach. But in the case of Lenovo and Superfish, this was done to show f___ing advertisements to users, and I am certain in Dell's case their reason is not much better. And for that, they put their customers security at risk. For freaking advertisements and (Dell's claim, I think) making life slightly easier for their support staff.
Seriously, what were these guy thinking?
[+] [-] eitland|10 years ago|reply
OTOH Dell used to bundle adware openly around 2007 and a lot of manufacturers still bundle badware/scareware. (Yes, I'm talking about McAfee here.)
[+] [-] ultramancool|10 years ago|reply
[+] [-] AndyMcConachie|10 years ago|reply
Is this just incompetence, or is there some other reason that I'm failing to understand?
[+] [-] jloughry|10 years ago|reply
Exactly how Dell managed to distribute both private and public keys to this certificate is a wonder.
[+] [-] Swannie|10 years ago|reply
For example, a user wishing to use the Azure web services either supplies their own cert/public key to Azure, OR requests Azure to generate a unique cert/key, and supplies the private key to you. Now, obviously, someone using Azure APIs doesn't install this key into your root store.
And that's the second "WTF?" - why install this as a Trusted Root cert, when your application could just hold it locally, and reference it?
(The first WTF being distributing a common private key - rendering the point of encryption useless.)
[+] [-] bognition|10 years ago|reply
[+] [-] ctangent|10 years ago|reply
And the best part - no bogus certs!
[+] [-] CamperBob2|10 years ago|reply
...
The only problem I've had is that suspend/resume (i.e. closing the lid) causes a kernel panic
I think it's time to apply a higher standard to "runs like a dream."
[+] [-] karlgrz|10 years ago|reply
[+] [-] a3n|10 years ago|reply
It appears that hardware vendors cannot make enough money merely selling hardware, and so they sell access, data and advertising to third parties (at least Superfish was in that area).
Being able to mod the software on your car is (I think) recently allowed (by the Librarian of Congress?). But it can be taken away at any revisiting event. I can see the day coming when it will be illegal to wipe a machine, because circumventing.
[+] [-] acdha|10 years ago|reply
http://arstechnica.com/information-technology/2015/08/lenovo...
This isn't an inherently bad idea – it works to provide critical drivers which you might need to get online, for example – but it really underscores how much depends on the OEM being more diligent than they've been in the past.
[+] [-] robszumski|10 years ago|reply
[+] [-] JoshTriplett|10 years ago|reply
Of something other than Windows, since Windows will automatically run binaries provided by the firmware in the "Windows Platform Binary Table", which hardware vendors now use to reinstall their malware into a fresh Windows install.
(Of course, if you don't trust the firmware, it can do any number of other terrible things to you as well. And firmware from major hardware vendors has messed with Windows partitions to reinstall malware even without the WPBT.)
[+] [-] zby|10 years ago|reply
http://geer.tinho.net/geer.blackhat.6viii14.txt
https://www.google.com/webhp?sourceid=chrome-instant&ion=1&e...
[+] [-] ballpark|10 years ago|reply
[+] [-] ballpark|10 years ago|reply
[+] [-] reustle|10 years ago|reply
Edit: I'm not defending Dell in any way, but if they're watching youtube and browsing facebook, they'll probably be just fine.
[+] [-] alkonaut|10 years ago|reply
[+] [-] nickpsecurity|10 years ago|reply
[+] [-] adekok|10 years ago|reply
> Nevertheless, because both eDellRoot and DSDTestProvider are installed in the Windows root store for certificate authorities together with their private keys, they can be used by attackers to generate rogue certificates for any website that would be accepted on the affected Dell systems.
It's not the certificate that's the problem. It's the installation of the private keys along with the certificate.