âDell apologizes for preinstalling bogus root-certificateâŚâ
Whew! Just think how bad it could have been if theyâd actually installed them âŚ
Is it possible that the NSA or federal government paid or compelled Dell to create the bad cert as a backdoor for them to snoop on systems? Or do you think itâs just Dell being Dell?
Cory, in paragraph 2 the name youâre looking for is Superfish, not Snapfish.
Dellâs use of bogus certs does not appear to be related to spyware;
rather, the company installed them to make it simpler to offer tech
support to Dell customers.
Did they explain how installing a self-signed root certificate simplifies the tech support process?
Easy. Itâs because, uh⌠Look, a three headed monkey!
Thatâs better than the pocket sand Lenovo threw at me.
Thanks!
Naturally, the uninstaller will install two more certificates⌠just to assist with aftercare, you understandâŚ
Given how utterly braindead this was(they didnât even bother to give the cert a name that sounds like a registrar; âeDellRootâ stands out like a sore thumb against the rest of the list; and they didnât remove the private key so anyone could trivially use the cert to attack any system with it installed); Iâm inclined to go with âDell being Dellâ.
Maybe the NSA has really embraced the power of lower standards; but Iâd assume that they would prefer backdoors that are easier for them to open than for random script kiddies and phishing scammers to open. Had this been even moderately less bafflingly incompetent, it would at least have not been trivial for just anybody to pull the private key; which would have been much more useful as a backdoor.
I am going to go with stupidity over malice here at least till proven otherwise. At work we had issues with a video driver on the servers (didnât crash them or anything just a âhey I donât trust thisâ popup) and after some digging after one picky customer was complaining it turned out HP released the driver with the vendors internal testing cert which of course was not trusted still attached instead of the regular one. It took them a bit plus more some more time for it to be released internally.
The cert gets installed with âDell Foundation Servicesâ, which appears to provide a variety of features of the âcheck for driver updates for my system based on service tag and PCI IDs of hardwareâ and âintegrate with Windows Action Center to pop up messages about available updatesâ flavor.
If their past efforts are any indication, itâs probably close to shovelware; but shovelware with a reason to be chatting over the internet, including about things(warranty support, say) that probably shouldnât be in the clear. Now; as to why they needed their own incompetent trusted root; rather than one of the sane and not-utterly-broken configurations normally used(apparently their dev team doesnât take any hints from whoever put together their SSLed online order form; which somehow manages to use encryption like a non-idiot); I have absolutely no idea.
My best hypothesis, so far, is that Dell may have decided to adopt the recently-retired NIH lab monkeys in order to reduce payroll expenses.
Weâre sorry that we got caught, and will take steps to ensure we are not caught again.
Itâs a job for the precrime unit
Sorry for being a noob, but is this limited to the OS installed when the computer is shipped? I would expect that if upon receiving the machine you wiped the OS and installed a different OS (because, ahem, thatâs what I do â replace Windows with Linux), then the new OS install will replace the certificates with its own. Is that correct?
Of course, you void the warranty when you do that, but under the circumstances it may be the more responsible thing to do.
Occasionally even wiping a hard drive wonât clear everything out depending on how entrenched it is in the system. This is more specific to viruses, but i wouldnât put it past some companies from using these strategies for hiding their malware from users.
Still what some people will do is wipe a drive and do a fresh install, or get rid of the drive and install a fresh one. If someone was seriously paranoid i guess you could flash your BIOS as well.
Itâs easier to apologize than to ask for permission.
Next time they will probably invoke the DMCA to stop people from snooping around in âtheirâ systems.
Thank you â this is exactly what I was wondering about.
On one of my previous Dells, there was a hardware button next to the power button which attempted to load an âEntertainment Systemâ if pressed. Long after Iâd loaded Linux, I hit it once by accident when I went to power up the machine, and all sorts of fun with drive partitions and OS stuff ensued.
I had something similar. It was some sort of media button i think, it was a way to get into music files and get them to play without having to fully boot up the computer. It was a neat idea, but it was clunky and glitchy and i wasnât enthusiastic over Dell having a way to bypass the OS. Glad i donât have that laptop anymore.
