“Dell apologizes for preinstalling bogus root-certificate…”
Whew! Just think how bad it could have been if they’d actually installed them …
Is it possible that the NSA or federal government paid or compelled Dell to create the bad cert as a backdoor for them to snoop on systems? Or do you think it’s just Dell being Dell?
Cory, in paragraph 2 the name you’re looking for is Superfish, not Snapfish.
Dell’s use of bogus certs does not appear to be related to spyware;
rather, the company installed them to make it simpler to offer tech
support to Dell customers.
Did they explain how installing a self-signed root certificate simplifies the tech support process?
Easy. It’s because, uh… Look, a three headed monkey!
That’s better than the pocket sand Lenovo threw at me.
Naturally, the uninstaller will install two more certificates… just to assist with aftercare, you understand…
Given how utterly braindead this was(they didn’t even bother to give the cert a name that sounds like a registrar; ‘eDellRoot’ stands out like a sore thumb against the rest of the list; and they didn’t remove the private key so anyone could trivially use the cert to attack any system with it installed); I’m inclined to go with “Dell being Dell”.
Maybe the NSA has really embraced the power of lower standards; but I’d assume that they would prefer backdoors that are easier for them to open than for random script kiddies and phishing scammers to open. Had this been even moderately less bafflingly incompetent, it would at least have not been trivial for just anybody to pull the private key; which would have been much more useful as a backdoor.
I am going to go with stupidity over malice here at least till proven otherwise. At work we had issues with a video driver on the servers (didn’t crash them or anything just a ‘hey I don’t trust this’ popup) and after some digging after one picky customer was complaining it turned out HP released the driver with the vendors internal testing cert which of course was not trusted still attached instead of the regular one. It took them a bit plus more some more time for it to be released internally.
The cert gets installed with ‘Dell Foundation Services’, which appears to provide a variety of features of the ‘check for driver updates for my system based on service tag and PCI IDs of hardware’ and ‘integrate with Windows Action Center to pop up messages about available updates’ flavor.
If their past efforts are any indication, it’s probably close to shovelware; but shovelware with a reason to be chatting over the internet, including about things(warranty support, say) that probably shouldn’t be in the clear. Now; as to why they needed their own incompetent trusted root; rather than one of the sane and not-utterly-broken configurations normally used(apparently their dev team doesn’t take any hints from whoever put together their SSLed online order form; which somehow manages to use encryption like a non-idiot); I have absolutely no idea.
My best hypothesis, so far, is that Dell may have decided to adopt the recently-retired NIH lab monkeys in order to reduce payroll expenses.
We’re sorry that we got caught, and will take steps to ensure we are not caught again.
It’s a job for the precrime unit
Sorry for being a noob, but is this limited to the OS installed when the computer is shipped? I would expect that if upon receiving the machine you wiped the OS and installed a different OS (because, ahem, that’s what I do – replace Windows with Linux), then the new OS install will replace the certificates with its own. Is that correct?
Of course, you void the warranty when you do that, but under the circumstances it may be the more responsible thing to do.
Occasionally even wiping a hard drive won’t clear everything out depending on how entrenched it is in the system. This is more specific to viruses, but i wouldn’t put it past some companies from using these strategies for hiding their malware from users.
Still what some people will do is wipe a drive and do a fresh install, or get rid of the drive and install a fresh one. If someone was seriously paranoid i guess you could flash your BIOS as well.
It’s easier to apologize than to ask for permission.
Next time they will probably invoke the DMCA to stop people from snooping around in “their” systems.
Thank you – this is exactly what I was wondering about.
On one of my previous Dells, there was a hardware button next to the power button which attempted to load an “Entertainment System” if pressed. Long after I’d loaded Linux, I hit it once by accident when I went to power up the machine, and all sorts of fun with drive partitions and OS stuff ensued.
I had something similar. It was some sort of media button i think, it was a way to get into music files and get them to play without having to fully boot up the computer. It was a neat idea, but it was clunky and glitchy and i wasn’t enthusiastic over Dell having a way to bypass the OS. Glad i don’t have that laptop anymore.