Worried about Superfish? Dell limits its pre-loaded software to a small number of high-value applications on all of our computers. Each application we pre-load undergoes security, privacy and usability testing to ensure that our customers experience the best possible computing performance, faster set-up and reduced privacy and security concerns.
Do you actually mean spyware, as in low-grade virus, or just preinstalled software? I'd be highly surprised if they bundled actual spyware with their machines.
This raises an interesting paradox to me. How would the people writing the marketing copy for any product that was supposedly Superfish-resilient actually know that it was?
Is the solution to simply not have marketing around such technical details? Is there a solution?
> This raises an interesting paradox to me. How would the people writing the marketing copy for any product that was supposedly Superfish-resilient actually know that it was?
A big difference is that Dell's inclusion of the private key appears to be a (major) screwup by someone with technical responsibility[0], whereas Superfish was downright intentional and involved people all over the company.
In that light, this doesn't really appear to be a paradox - no company should ever market themselves as being immune to mistakes and/or breaches. But it's pretty straightforward to live up to promises that you won't intentionally compromise all security whatsoever just to make a few ad dollars (which is what Lenovo did).
[0] As far as I can tell, there's no evidence that Dell benefits in any way from shipping the private key, so I'm going to invoke Hanlon's razor until we discover otherwise: https://en.wikipedia.org/wiki/Hanlon%27s_razor
But it would be a screw up in Dell's core activity. It's like Intel screwing up the design of the Xeon. I would be surprised if this didn't get approved by many people before going ahead.
At least on the consumer end, I'd say Dell's "core activity" is hardware, not software. This is more like Intel selling software that can screw up your computer: https://www.mcafee.com/
> But it would be a screw up in Dell's core activity. It's like Intel screwing up the design of the Xeon. It's like Intel screwing up the design of the Xeon.
I'm not really sure I'd say that this is comparable to Intel screwing up the design of the Xeon.
But either way, there's a big difference between "we made a serious technical error, and nobody at the company caught this" and "we intentionally compromised our entire product because advertisers were willing to pay us, and nobody at the company stopped this".
This is a Polish anti piracy campaign equalling everyone who calls himself a Hacker to ISIS terrorist and pedophile :/ Thats right, they uploaded YT clips showing "hackers" in balaclavas collecting child porn. At the very same time Microsoft openly calls polish makers Hackers in another part of corporate portal.
Seems like a way to bypass signed drivers. Sending drivers to Microsoft for signing takes a few weeks and costs money. I bet this certificate was used on prototypes, but was not removed from final version for some reason.
Source: I worked for hardware vendor and wrote windows drivers.
I have seen driver installers that just install their own CA. A particularly clever one generated a CA at install time, signed the driver, deleted the private key, then installed the driver, however this relied on internet access during install to timestamp the driver signature.
Can you actually do that? I was under the impression that the kernel driver root certs aren't under user control, and you basically have to boot your Windows in debug mode to run an unsigned driver. Surely people would just self-sign instead if that was possible.
it's got a certificate signed by the bogus certificate authority that dell bundled. So if your browser accepts the certificate (eg shows a green https instead of preventing the page from loading and displaying a warning) then the CA is installed and trusted on your machine
It is signed by the eDellRoot certificate, if you visit the page and you don’t see any certificate warning, then your machine probably has the eDellRoot certificate installed.
On Android I only buy and recommend Nexus devices because of crapware, privacy and security concerns. It might be a good time for Microsoft users to switch to that same strategy and only buy Microsoft devices, since the introduction of Microsoft's own laptop makes it possible. It's also pretty much the Apple model.
I bought a Signature Edition Thinkpad Yoga S1 from Microsoft and it didn't have any junk on it, except in the registry. I think all they do is open the machine, uninstall all the non-Microsoft stuff, then ship the machine. A clean install wouldn't have registry keys for Evernote (for example).
I think I would only buy a Microsoft Surface machine at this point. The hardware is very good and they aren't junked up.
do they remain junk-free when you install manufacturer software updates? Was wondering if manufacturers are mandated to keep the signature laptops clean or if the first time you install your "control center / driver center" update it will automatically pull in things you'd rather not
An interesting thing I realized on Android while doing some development was that if you install a custom root cert, Android actually persists a notification that says something along the lines of "other people may be able to intercept your communication".
Noticed this while I was installing the MITM cert for CharlesProxy.
Buying devices only from Google or Microsoft is a little better as it might remove one layer of involuntary data sharing but it would still be better wiping off Android and replacing it with something else that is more privacy oriented...
Are there any "somethings" that are more privacy oriented and can be flashed onto existing android hardware without destroying all functionality due to missing / poor drivers?
I have a Dell M3800 that was purchased in March and has this cert. I am not well versed in this area. What do I do? Can I just delete it from the "Certificates" snap-in in MMC? (And should I?)
I'm replying to my own comment, because I can no longer edit it. This is a response that I received from reddit [0]. I haven't attempted it yet, but I wanted to include it here for completeness (and opinions):
> You can safely delete it from both the root and personal certificate stores.
You will also need to remove the eDell plugin entirely otherwise the certificate will simply be reinstalled. If you have "Dell Foundation Services" listed in your programs you can uninstall it, otherwise you'll need to look for "Dell.Foundation.Agent.Plugins.eDell.dll" and delete it.
Take a look at the screenshot of the certificate store. Why are expired certs from 1999 in there? What's that "NO LIABILITY ACCEPTED" cert? Do you really have the private key for the self-signed cert?
This is worth a vulnerability report to US-CERT, and more publicity.
That person was mistaken. Keep reading the thread. Several people have already created website certificates that validate in browsers using the private key provided.
Microsoft created the feature so you'd actually have driver support when doing the reset. I'm sure we all love resetting a touch screen only machine to find out it has no touch support for the install.
No, I mean the official Windows CD (technically two DVD set now). New Windows versions are shipping frequently enough now that it would actually be possible.
This won't work because the firmware will write a file to your hard drive with the bloatware. It's scary that firmware will modify my filesystem - lots of damage could happen here.
Also, instead of step 2, it would make more sense to boot linux on a usb stick and use dd to erase the hard drive -- this is more complete than installing another OS... but still useless if the firmware is working against you.
In this case Windows will write to your filesystem, not the firmware. Of course there is nothing stopping a firmware from writing to the disk before it loads any OS, but that is true with any OS not just Windows.
No no, sorry. Signature edition is buying the computer itself, not rebuying the OS. They're computers from Dell/Toshiba/Acer/etc. sold directly by Microsoft without any garbageware. Saves you the hassle of having to do a clean install after you buy it.
The US government launched a massive anti-trust case against Microsoft to enable OEMs to do whatever they wanted.
It cost Microsoft many billions of dollars, almost had the company broken up, and put them under close Department of Justice supervision for a decade. I don't think Microsoft will risk anything like that again....
Microsoft didn't get sued for trying to make installing Windows easier. It got sued for making changes in Windows designed to damage competitors (specifically Netscape, Sun, Borland, and Apple) and publicly and repeatedly lying about it.
The heart of the case was whether OEMs could install Netscape and/or remove IE. One direct result was that Microsoft could not insist on its preferred installation of Windows.
Microsoft was also prevented from charging the major OEMs different prices, which was its main way of rewarding OEMs for doing installations the way Microsoft wanted.
This is true -- but again Microsoft got caught lying about how IE's functionality was "intrinsic" to Windows (which was why it prevented IE from being uninstalled). It was also forcing PC manufacturers to pay a royalty for every PC sold, whether or not it was bundled with DOS or Windows (which damaged rivals like Digital Research -- the company Microsoft essentially stole DOS from, but that's another story).
> how IE's functionality was "intrinsic" to Windows
Microsoft had been forced to sign a consent decree in 1995, which prevented it from tying new products to the OS but specifically allowed it to add new features to the OS. It therefore didn't have much choice about its arguments, though (like every other OS supplier) it obviously wanted to include a browser. Equally obviously, delivering a free browser as part of the OS was good for consumers, which is why Microsoft won the browser bundling case on appeal.
Microsoft had also componentized the browser so that different functions could be used by other programs, which to some extent, did make it part of the OS. (Much of the anti-trust case argument on that topic was phenomenally stupid.)
>It was also forcing PC manufacturers to pay a royalty for every PC sold, whether or not it was bundled with DOS or Windows
Don't think so. That was a deal offered to some OEMs, but as far as I know, it was never forced on anybody. In any case, the US Justice Department banned the idea in 1994. I tend to think 21+ years is a bit of long time to hold a grudge about something that was killed before it took off.
> Digital Research -- the company Microsoft essentially stole DOS from, but that's another story
Well, DR screwed up massively by refusing to sign a deal with IBM, then by charging too much for DR DOS, and then Apple screwed it in a court case over the UI in DR GEM. Either way, DR was dead long before the Microsoft anti-trust suit.
Depends on what you mean by "forced", right? If a PC manufacturer's choice is between not selling PCs with Windows pre-installed and having to pay a per-PC license for Windows whether Windows is installed or not, then effectively it's forced. And this was likely in play for years, but covered by commercial in confidence.
> DR screwed up massively by refusing to sign a deal with IBM
Sure but that's a different issue entirely.
As a result of the litigation over 86-DOS/QDOS (which MS licensed from Seattle Computer Products) Seattle Computer Products, DR-DOS, IBM, and Microsoft ended up with the right to ship DOS. Microsoft acquired SCP's license for chump change via a dubious legal maneuver whereby it was forced to sell its license to MS rather than to anyone else for whatever they wanted to pay (I forget the detail, it's documented in one of the Gates biographies). DR and IBM continued to sell technically superior versions of DOS, but IBM's was bundled with IBM-branded hardware and DR was crippled by Microsoft's licensing contracts which became particularly effective once Windows 3.x came out.
> 21+ years is a bit of long time to hold a grudge
This is only the tip of the iceberg of things MS's anti-competitive behaviors. Probably its most pernicious behavior was "dumping" on rivals (cross-subsidizing products such as Access until rivals went out of business) and actively sabotaging third party software (e.g. -- allegedly -- deliberately breaking Lotus 1-2-3 on DOS 2.x and -- well-documented -- breaking Borland compilers in the Windows 95 betas (which might well have continued into the release version had it not been caught red-handed).
At this point, the price "advantage" for Windows PCs vs. a Mac is tenuous at best... especially since a lot of folks buy on some "30% off this week" deal with Dell/Lenovo/etc.
> We have posted instructions to permanently remove the certificate from your system here. We will also push a software update starting on November 24 that will check for the certificate, and if detected remove it. Commercial customers who reimaged their systems without Dell Foundation Services are not affected by this issue. Additionally, the certificate will be removed from all Dell systems moving forward.
> Your trust is important to us and we are actively working to address this issue. We thank customers such as Hanno Böck, Joe Nord and Kevin Hicks, aka rotorcowboy, who brought this to our attention. If you ever find a potential security vulnerability in any Dell product or software, we encourage you to visit this site to contact us immediately.
I think the mods changed the link. The original was a blog post, and one of the comments was from Dell and essentially said "We are Dell and we like security. Our experts are furiously working on security. We'll let you know what they come up with."
They are being asked about this over-and-over again, and they just spit back the same nothing response every time that is essentially what the person you replied to said.
This should be the NSA's job, keeping us safe from all the corporate and foreign government cyber espionage that is completely out of control. In reality they don't give a shit because they like to free ride on top of all the other backdoors as well as the ones they create.
Since Dell holds a ton of government contracts and a good amount of government computers are Dell, you can guarantee they most DEFINITELY "give a shit" about this.
One thing to note is, if you have your own Windows disks (some organizations might have) or if you use Linux this might not really matter to you. I wish laptops and desktops were sold without Operating Systems by the major companies, outside of server space.
There are quite a few low end laptops available in India without any pre-installed OS. Most people who buy these end up using some pirated copy of windows which is either left unpatched and vulnerable or it comes with some form of malware already installed. It hasn't been great for security or privacy sadly. No one I know uses linux on them or forks out any money for a Windows license which they deem to be too costly.
It shouldn't be. If anything, being as big as Dell makes me wonder why it hasn't happened already.
I work at an Enterprise software company a few orders of magnitude smaller than Dell. The number of people we have who don't even begin to understand how SSL works beyond 'its encrypted now' is frustrating.
Dell can probably recruit better people than we can, but I don't know if they can recruit better people at volume, top to bottom. It only takes a couple of people to not understand what they are doing and 'just get it done' for this to happen.
In that particular case, it's likely less "fail to comprehend the consequences of their actions" and more "underestimate the chances of being caught"...
Off topic: I dont reddit that much, so this is a first time I see this banner (specifically crafted to not be copyable!)
> You have been linked to a read-only version of this subreddit. Please respect the community by not voting.
Please do not vote or comment when you come from external subreddits.
When you add the np subdomain prefix to a reddit domain, it links to a non-participation version of the page.
The idea is that it helps to reduce "brigading", as in if a thread is linked to by an external party or another subreddit, the thread is not so easily derailed from its original context and audience.
Of course if you actually want to participate in the thread, its not difficult to simply remove the prefix. But it might make some people think twice.
NP links are mainly used by inter-subreddit references, as "brigading" is against the reddit rules, and can result in a subreddit being banned.
I can see why it all seems a bit ridiculous.
It's non-copyable because it's added with CSS and not an element on the page. It's done this way because CSS is the only way for a subreddit's moderators to add a message like this. (Reddit allows moderators to customize CSS, but not otherwise alter pages.)
Dell is serious about your privacy
Worried about Superfish? Dell limits its pre-loaded software to a small number of high-value applications on all of our computers. Each application we pre-load undergoes security, privacy and usability testing to ensure that our customers experience the best possible computing performance, faster set-up and reduced privacy and security concerns.