From the good women and men over at the EFF:
Earlier this year it was revealed that Lenovo was shipping computers preloaded with software called Superfish, which installed its own HTTPS root certificate on affected computers. That in and of itself wouldn’t be so bad, except Superfish’s certificates all used the same private key. That meant all the affected computers were vulnerable to a “man in the middle” attack in which an attacker could use that private key to eavesdrop on users’ encrypted connections to websites, and even impersonate other websites.
Now it appears that Dell has done the same thing, shipping laptops pre-installed with an HTTPS root certificate issued by Dell, known as eDellRoot. The certificate could allow malicious software or an attacker to impersonate Google, your bank, or any other website. It could also allow an attacker to install malicious code that has a valid signature, bypassing Windows security controls. The security team for the Chrome browser appears to have already revoked the certificate. People can test if their computer is affected by the bogus certificate by following this link.
Did you buy a Dell computer during your Black Friday shopping thing over there in the US? Might want to look it over before handing it your loved one.
Alternatively, just buy a Mac and don’t deal with this nonsense.
Imagine the effect on Dell / Lenovo / other companies ifL
1. Deliberately or negligently damaging security and privacy was illegal, and a criminal offence.
2. The penalties imposed by a government regulator actually hurt these companies such that the benefits of ads / sponsorship / selling data was vastly negated.
Companies will always do whatever they can get away, right up to the edge of the law.
Morality and ethics is not the same as the law and doesn’t effect the bottom line.
What, government regulators actually doing something useful? If that were to happen I think we’d forget all about Dell and Lenovo due to pure shock.
http://en.community.dell.com/dell-blogs/direct2dell/b/direct2dell/a…
What I don’t understand is that Dell computers are mostly focused on business, not home entertainment. Companies have IT crowd and support people, I don’t buy the “to help the user” shit. If people cannot understand how to fix their computers themselves, there is not reasons to open another breach in the security for that, call a tech guy.
Just to make you notice the following : I use a Dell Vostro 3555 (AMD APU A8-3500M) on a daily basis for almost 4 years now. Never had an issue, and no need of a root certificate. And if there was an issue, there’s a quick SN on the back of the machine and a dedicated Dell line that can help almost 24/24.
https://dellupdater.dell.com/Downloads/APP009/eDellRootCertFix.exe
One click fix (run as admin)
Yeah, after a fuck-up (dell, sony) they release another binary, run as admin, without source, without a proof it does only what it is supposed to do.
Yeah, sure, people who just lost trust in you are to trust you again. They need to step up, do a deterministic build of the “fix” tool at least.
Hey, no my fault. At least they try to fix things, and don’t worry, I bet if people found out about the certificate, they’ll check the fix as well.
If you’re such a paranoid, just stop connecting to the internet, or even using a computer.
Surely at least two clicks (double-click to run a program).
In reality, probably considerably more.
Ok, ok, here we go, manual steps :
1. Open Task Manager by right clicking on the taskbar and select Task Manager.
2. Select the “Services” tab in the Task Manager window.
3. Click on “Open Services” at the bottom of the “Services” tab.
4. Look for “Dell Foundation Services” and select it.
5. Click “Stop the service”.
6. The “Services” window should look like the image below after the service has stopped.
7. Open “File Explorer” and navigate to “c:\Program Files\Dell\Dell Foundation Services” and delete the “Dell.Foundation.Agent.Plugins.eDell.dll” file.
8. You may be prompted with the warning below. Click “Continue” to delete the file
9. Hit the Windows key on the keyboard and type “certmgr.msc” followed by the “Enter” key.
10. You may be prompted to allow the program to make changes to the computer. Click “Yes”.
11. When the certificate manager window opens, double click on “Trusted Root Certification Authorities” on the left panel. Then double click the “Certificates” folder.
12. Select the eDellRoot certificate from the right panel.
13. Delete the certificate by clicking the “X^aEUR icon in the toolbar.
WARNING! Make sure ONLY the “eDellRoot” certificate is selected like the example below before clicking the delete button. Deleting any other certificate may cause your system to function improperly.
14. You will be asked to confirm deletion of the “eDellRoot” certificate. Click “Yes”
15. After deletion, the “eDellRoot” certificate should be removed from the certificate manager’s window as shown in the image below.
16. Go back to the “Services” window and select “Dell Foundation Services” and click “Start the service”.
17. Close all windows that were opened.
18. eDellroot Certificate is now removed from the computer.
Instead of the “just use a Mac” it would have been great if there was a link to this fix in the article.
I am afraid that except for Lenovo (on purpose), Dell (no knowledge) and Apple (software bug) there is a general problem with hardware manufacturers and non-unique certificate keys: https://www.kb.cert.org/vuls/id/566724
for the list of affected companies:
https://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Referen…
(yes, that includes Cisco, Draytek and a WHOLE bunch of others)
GPS in your Ford instructs you to drive into lake. You can replace GPS. Alternatively, just buy a Bentley and don’t deal with this nonsense.
P.S.: my point is not about price, but more about disproportion between the problem (vendors’ crapware) and solution (changing whole platform).
P.P.S.: and it is not like OSX doesn’t have any problems of its own.
As with all car-computer analogies, yours is flawed. Dell::Mac =/= Ford::Bentley, more like Ford::Lexus. Unless every single Mac model costs 10 times as much as its Dell lookalike while sporting a huge leap in power and refinement (hint: they don’t), you’re way off base.
But I do agree with you on one thing: You don’t have to buy a Mac to get away from Dell’s stupidity. If you find yourself the sad owner of an infected Dell machine, simply wipe the drive and install Windows 10 from a Microsoft provided ISO or USB image. The machine will pass activation (one of the better things to come out of Windows 10 is the simplified activation scheme), and you are free to download drivers from Dell and go on your merry way. Just remember that you don’t want to install the Dell Support software or all that work will be for naught.
If you’re truly paranoid, you can wipe Windows out and install another OS, like Linux or a BSD.
And if you haven’t bought a Dell yet, don’t. Vote with your wallet and buy from a vendor that doesn’t preload your computer with a massive vulnerability.
As a matter of habit, I do a clean reinstall of the OS whenever I buy a laptop.
But I’m not the typical consumer.
Keep in mind that paranoia is a virtue.
My point was that the computer comes with Windows 10 and a compromised root cert. If one buys the computer with the intention to run Windows 10, and simply wants to be free of the bad cert, the easiest way to ensure that is to follow the procedure I laid out. It wasn’t an endorsement of 10 so much as a fix for the given issue.
I never said otherwise.
If you really need Windows, think about the Signature Edition computers: vanilla Windows, no crapwares.
Or build your own.
You don’t really need a signature edition computer. All you need to do is download a Windows 10 .ISO (or the media creation tool) from MS and install clean when you get the PC. Then download whatever drivers you need. Assuming the drivers don’t have any BS in them, you’re good to go.
They usually don’t in and of themselves, however they will try to trick you into installing some sort of driver updater, or add-on software if you’re not paying attention. If you do that, it’s square one all over again.
All of which ignores the majority of people who will be f**ked by these decisions… the ordinary consumers. You know, those people who’d have no idea what a “media creation tool” is, or how to reinstall their operating system? Those people who know their computer is screwed up but have no idea why? You know, most of the population?
This always bugs me about answers like this. It’s all well and good for us, who know how to do such things and wouldn’t give it a second thought. However the ordinary consumers really should buy a Mac, or a signature edition PC, if they want a decent experience. Unfortunately, they don’t usually know that either.
Well, consider the target audience here. This is OSAlert – I’m not talking to a bunch of techno-weenies
Assuming you live in one of the limited number of countries where the signature computers are sold. The BYO option isn’t a viable solution for someone who wants a notebook.
Edited 2015-11-29 06:10 UTC
I’m pretty sure it’s easier to remove the leaked root CA than it is to patch your code so it isn’t stupid.
Still, at least it’s not an suid script that checks your identity via an environment variable.
If you don’t remember that, then there’s this:
DYLD_PRINT_TO_FILE
Apple has *always* had a more blase attitude towards security, because “Macs don’t get hacked”. Except when they do.
There is a huge difference between OS X having a bug vs. an OEM taking Windows then making it insecure by doing something stupid like what Lenovo and Dell did. The former was simply a human mistake where as the later was idiocy by OEM’s who should learn that their job is to provide hardware with Windows pre-installed and not install crap additional to what is the absolute bare minimum for the system to function. It is crap like this that undermine the Windows brand yet I keep hearing all this crap about ‘freedom’ and how having a PC gives you ‘choice’ whilst ignoring that you have to make sure that you do an extensive background check into the OEMs and what they do when butchering Windows before purchasing.
Reminds me of the Android defenders going on ‘freedom’ and ‘choice’ yet how many of them install unneeded security problematic crap with their installation of Android? how many end users are thrown under the bus 12 months later when the new phone is released and Samsung can’t be buggered providing Android updates? Honestly, I swear Windows defenders get their Jimmies rustled in top speed because their inability to accept that maybe there are things that Apple do better than the Windows/PC world and that maybe there are some ways in which Apple does things that OEM’s should adopt rather than going on endless Mac bashing as you did in your post.
Wait, you’re saying Superfish was just a human mistake? An application that was designed, from the ground up, to intercept and modify users’ traffic in order to net Lenovo some extra profits?
Read what I wrote, it is abundantly clear the the bug in OS X was human error where as Superfish was Lenovo deliberately making Windows insecure by design not by accident.
No, Lenovo made a particular range of laptops insecure, by inadvertent design.
Lenovo did nothing to Windows itself. Superfish didn’t affect my copy of Windows at all.
Superfish was a malignant, deliberately difficult piece of software to remove.
Dell left a self-signed trusted root cert installed.
The mistakes I mentioned by Apple are all serious flaws in the security of the OS at a code level.
Of the three, Lenovo is the worst, because they deliberately made their adware hard to remove, and as a bonus, it included tools for creating man-in-the-middle attacks.
Apple is the second worst, because it demonstrates a continual lack of focus on security– some of the mistakes I listed are amateur mistakes no serious developer should have ever made (a double goto?!? Seriously?).
Dell made a blunder in not considering the ramifications of their certificate– but of the three, it’s the only one that can be fixed by a user without any special tools or patches.
I’m not bashing OSX– security is hard to get right. I’m pointing out that in the context of “Get a Mac and don’t deal with this nonsense” OSX is no better than any other OS vendor– and to think so is incredibly naive.
The *REAL* problem with the list of security issues that I brought up, is that with the exception of the setuid script, they’re all from this year, and it took me less than 10 minutes to find them.
OSX is no more secure than Windows or Linux– it’s just attacked less right now.
I’m not sure the point you’re trying to make. All of the problems you state are because of OEMs. You cannot compare (Micrsoft + Random OEM) or (Google + Random OEM) to Apple. If you buy a Nexus or Surface device you don’t have this problem.
What would you suggest Microsoft or Google do?
I’d immediately crack down on this shit at all levels, because it’s also hurting Windows’ reputation and they don’t need much help. They should threaten to revoke the right to sell Windows when companies do this, and carry through with it if they don’t shape up. In the long run, mistakes like this will hurt Microsoft far more than they will Dell, because the typical consumer blames Windows, not their OEM. Windows is Windows to most people out there, and they neither know nor care about what Lenovo or Dell may have done.
Goes back to what I’ve always said – Microsoft need to enter the PC market themselves because it is clear that the OEM’s are doing such an atrocious job whilst wrecking the Windows brand whilst they’re at it. When end users have issues, do they blame the OEM or do they blame Windows (and in turn Microsoft)? Then again it was Microsoft who championed the whole horizontal market model for PC’s so really they’ve only got themselves to blame.
Sure, no more needs of OEMs, Microsoft can wreck their own distro with crapwares and telemetry, see Windows 10.
In a way, they have… the Microsoft Signature Edition.
I don’t get the raging. Pretty much every god damn manufacturer out there has made mistakes, including Apple, but people are railing against Dell like they were the effing Anti-Christ!
What Dell did was incompetent, yes, but the comparison to Superfish isn’t quite apt: Dell’s intention never was to inject ads into your traffic or modify existing ones or to otherwise gain financially from your traffic, this was clearly a case of stupidity and incompetence. Superfish, on the other hand, was created from the ground up all for the purposes of benefiting financially from your web-traffic and maliciously went and modified your traffic!
Dell’s response to this has also been a lot better than Lenovo’s: Dell responded very quickly and released a tool to remove the certificate like a day later — they didn’t faff about it, they didn’t try to come up with excuses or stuff like that. I’d also hazard a guess that they’re going to be paying a lot more attention to their security in the future thanks to this blunder.
So, why all the raging? Why all the grinding of axes? Even here on OSAlert you people are jumping on the ignorant hate-train, just like any of the “luddite sheeple” that you so cheerfully mock!
Agreed, this sounds to be well-meaning incompetence rather than malice… an attempt to do something useful by someone failing to appreciate the consequences.
It’s still a serious mistake by Dell, but their response to that mistake is everything you could hope for.
Because the headline “Dell admits, fixes, HTTPS blunder” isn’t nearly as good as “Dell is Breaking HTTPS!!”.
Even on those affected Dell’s, when using Firefox you will be safe from this issue. Firefox uses it’s own certificate store. So instead of saying “Just buy a Mac”, it would be cheaper to Just Use Firefox.
As far as fishing expeditions go, I have definitely seen better, but I’m not sure if I’ve seen a lamer one.
Edited 2015-11-28 15:21 UTC
As far as useless pieces of advice go, Thom, this one takes the cake. Might as well tell people to install Linux, or OpenBSD, or FreeBSD. It’s all about the same and for most people using Windows, just about as stupid a suggestion.
Reason: OS-X isn’t supported by the VAST majority of business software providers and even plenty of hardware providers. Also, there are plenty of people that don’t like the Apple my-way-or-the-highway attitude with its customers. You tell that to someone that depends on such software for their business and you’ll just get laughed out of the room with the door slammed behind you. Next time, advise people with useful information like a link on how to manage root certs in Windows.
The URL says “Vista” but it works in 10 as well.
http://windows.microsoft.com/en-us/windows-vista/view-or-manage-you…
Why not perform a clean Windows 10 reinstall? It’s already activated anyway.
– Buy a PC and use as it came out of the box: Crapware and Microsoft spies on you.
– Clean install Windows 10: Microsoft spies on you.
– Install Linux: OMG its not identical to Windows and can’t run web Outlook in IE so its impossible to write your TPS reports with it.
– Buy a Mac: You can’t write your TPS report with it because it has all the functionality of a slab of aluminium, but if you are a true believer, using it will feel like Ive himself is fluffing you.
Nice reading for a wet and windy Sunday morning.
Thanks to IBM, I can now do all my Software Development on a Mac and am able to deploy it on HP-UX, AIX and even Z/OS. No, I’m not running the Dev software in a VM. It runs natively on OSX.
Useful as a slab of Ali? Really. The increasing numbers of Mac’s being sold can’t all be wrong or even fanboi’s.
All OS’s have their problems but to slag off OSX as being useless unless I’m a Fanboi is getting a bit old and to be honest rather tiresome. Please show us all the evidence that makes a Mac a useless bit of metal and not a useful computer. I’m sure that Thom would give you a platform to air your views.
Windows 10 and all its issues is all Microsoft own making. This incident with Dell just the icing on the cake.
The telemetry and data slurping and ‘here have a load of fixes but do not call us if we bork you computer’ attitude of MS is turning a good number of people away from their products for good.
My advice (from 40+ years in IT) is don’t buy a PC with Windows 10 in it and if you must then don’t go near Dell UNLESS you are competent enough to wipe it clean and install something a little more sane.
Question : my data plan is limited (3G) so is there a way to count the telemetry ratio and ask Microsoft for a monthly refund of my bandwidth usage ?
First thing to do is to wipe out Windows and install Linux. This will remove such kind of nonsense right away. Lenovo however did some dirty trick with UEFI firmware, which in theory can compromise any installed OS. Defending against that is already harder. You’ll be hard pressed to find any modern computer / motherboard that allows installing FOSS firmware like Coreboot.
Edited 2015-11-29 02:12 UTC
http://www.gnu.org/philosophy/ubuntu-spyware.en.html
Edited 2015-11-29 12:18 UTC
Which was discovered because it’s FOSS. Canonical however isn’t new to distancing from Linux community, so I don’t recommend using Ubuntu.
I am sure Thom would gladly help those that try to make 400^a‘not last a whole month get a Mac, so that they don’t have to deal with this nonsense.
Or those that barely got their first smartphone as their introduction to the world of computers.
It is very easy to say “Just get a Mac” when living on a rich country.
Edited 2015-11-29 12:25 UTC
Ever visited a Pawn-brokers?
I picked up a 2011 17in MacBook pro for ^Alb400 just over a year ago. Cheap for an i7 CPU with 16Gb ram.
Think outside the box and you might be surprised what you can find.
I don’t have the slightest idea of what a Pawn-brokers is.
Where I come from, people are already thinking out of the box how to get food and pay their bills for the whole month.
As I said, nice first world problems in rich countries.
Pawn brokers is probably the 3rd oldest profession in the world.
These are places where people take ‘stuff’ they own to sell or to ‘pawn’ where the items are handed over as security for a short term loan. Then the loan is paid off and the items returned.
Shops are traditionally identified by a sign with three balls hanging from a bar.
A great place to get pre-owned stuff cheap. Sort of low tech e-bay. Been around for hundreds if not thousands of years.
Thanks for the explanation, I have never seen something like this on my country.
That principle exists, but only on the big cities, and it is usually a shady business.
You will never find computers there, rather rings, necklaces and such stuff.
Signature comment from obnoxious retard that is Thom. I am already getting fed-up with Thom’s nonsense such as this. He does this every time: just copy&paste some short quote from random tech. site and add his uber-important “opinion” that is not just obviously biased but also completely off-topic and dripping with fanboy-ism.
That does it, I am now un-subscribing from OSAlert newsletter. When I come to tech. news site, I expect at least certain level of professionalism, not some asshole-blogger-living-in-the-basement type nonsense.
“Alternatively, just buy a Mac and don’t deal with this nonsense.”
And deal with Mac-specific nonsense.
Probably true but IMHO this is a whole lot less aggravation than you get with Windows (post W7).