Dell Accused of Installing 'Superfish-Like' Rogue Certificates On Laptops

Mickeycaskill writes: Dell has been accused of pre-installing rogue self-signing root certificate authentications on its laptops. A number of users discovered the 'eDellRoot' certificate on their machines and say it leaves their machines, and any others with the certificate, open to attack. "Anyone possessing the private key which is on my computer is capable of minting certificates for any site, for any purpose and the computer will programmatically and falsely conclude the issued certificate to be valid," said Joe Nord, a Citrix product manager who found the certificate on his laptop. It is unclear whether it is Dell or a third party installing the certificate, but the episode is similar to the 'Superfish' incident in which Lenovo was found to have installed malware to inject ads onto users' computers.

Let me Guess

He is running a pre-installed Windows?

First thing I do is wipe any new computer clean. The OEMs can't be trusted anymore.

Re: Let me Guess

Apparently it reinstalls itself on updates and also is installed onto Ubuntu.

This is lawsuit worthy IMO. Either maliciousness or gross negligence. One doesn't just accidentally do this.

Re:Let me Guess

[Lead+Butthead]

He is running a pre-installed Windows?

First thing I do is wipe any new computer clean. The OEMs can't be trusted anymore.

Except if you bought a Lenovo, it'll helpfully replaces OS components through Lenovo Service Engine entirely on its own. So a clean install won't save you. Nice eh?

Re: Let me Guess

[ilsaloving]

The FA doesn't mention anything about Ubuntu. Do you have a link?

Is it just the pre-loaded versions of Ubuntu, like the preloaded versions of Windows?

Re:Let me Guess

WTF? We really need open source bios...

Re:Let me Guess

Everyone wants to spy on us. This sort of thing will not stop until enough people band together to make it stop.

Which is to say, ever. Most people are too computer illiterate to notice or care about this sort of thing, so it will be tolerated. And the open source efforts of the small few will always be precariously legal at best, and will always have barriers (implicit or explicit) preventing widespread adoption.

 

Re:Let me Guess

[Dr_Barnowl]

Enabled by Windows, of course, which provides a mechanism of doing this for OEMs to (ab)use.

Re: Let me Guess

[LinuxIsGarbage]

The FA doesn't mention anything about Ubuntu. Do you have a link?

Is it just the pre-loaded versions of Ubuntu, like the preloaded versions of Windows?

I can't speak to Ubuntu, but on Windows for Lenovo, Lenovo can install bloatware even on a clean install using Microsoft's Windows Platform Binary Table. Primarily intended for Drivers, or security software like LoJack.

Re: Let me Guess

As a temporary fix, don't delete the certificate, instead disable all its "intended purposes".

Re:Let me Guess

There's more information on the WPBT (Windows Platform Binary Table) entries here:

Zombie Crapware: How the Windows Platform Binary Table Works
http://www.howtogeek.com/22630...

Basically, if you have a C:\Windows\system32\wpbbin.exe on your system then your computer's manufacturer is using this technique to Root Kit your system. Haven't found a useful tool yet that lets you examine WPBT and delete its contents, though.

Re: Let me Guess

[Zero__Kelvin]

YHBT

Re: Let me Guess

[afidel]

Or copy it into the untrusted store.

Re: Let me Guess

[afidel]

Or copy it to the untrusted store.

Re:Let me Guess

He is running a pre-installed Windows?

First thing I do is wipe any new computer clean. The OEMs can't be trusted anymore.

Then why are you buying their hardware ... the more opaque half of the package?

Re:Let me Guess

Enabled by Windows, of course, which provides a mechanism of doing this for OEMs to (ab)use.

Ahem. The bios recognizing the file system and replacing files before booting the OS would work against any OS. Yes, Windows will accept a vendor-signed file in it's place, but Windows was really the only OS to feature secure boot anyway.

At best you could claim that Windows - unlike other OSes - had the opportunity to protect against this, but Microsoft chose not to. Yes, Microsoft has described the technique (not a mechanism - there is nothing in Windows to support this) - to allow vendors a way to ensure vital customized components to be configured without shipping those customizations on every Windows. The abuse of the technique is entirely on Lenovo.

Re:Let me Guess

To be official though, you first need to buy windows as well, because oems don't give you a clean install disk.

Re:Let me Guess

You can just download your ISO of choice from MS's digital distributor or use the media creation tool.

Re: Let me Guess

Well - I can't speak for Windows, but this guy I know can get into my house without a key. What he's doing there I have no idea, but the fact that he can get in probably means that dell can get in as well. /. is a fucking joke :( It used to be real nerds here, but clearly LinuxIsGarbage is proving that it's more about remembering old news that might be somewhat similar, as they both mention certificates. Also 5 Informative? What's informative in this post?

Re:Let me Guess

Do these people not learn. Ever?

Re: Let me Guess

[LinuxIsGarbage]

I probably shouldn't reply to an AC, but while I'm "remembering old news", in the case of Lenovo, on Windows, it's installing crapware out of the BIOS onto a clean install from a clean disc. The Great Grandfather of my post is talking about:

He is running a pre-installed Windows?

First thing I do is wipe any new computer clean. The OEMs can't be trusted anymore.

With the " Microsoft's Windows Platform Binary Table", a clean Windows install becomes irrelevant, OEMs can still infect you by installing binaries without your permission on a clean install. Not just certificates.

Re: Let me Guess

[nullchar]

And then you need to purchase a retail license to go with it. The OEM key won't work (which sucks for virtual machines too).

Coming soon in Windows 11

[swb]

...a root certificate store that is locked and can only have NSA-approved certificates installed.

Re:Coming soon in Windows 11

[Dr_Barnowl]

No chance.

This "install your own root CA" trick is being used widely in corporate environments to allow proxies to snoop your HTTPS connections ; caused no end of trouble with clients using independent Firefox installs (Chrome uses the system certificate store, Firefox has it's own) navigating to our pages (with properly signed certificates) and being told they were a security risk.

We also had something that directed traffic while we were out of the corporate network through a third-party proxy that used the same trick (Websense).

Re:Coming soon in Windows 11

[swb]

That's easy to solve. MS will sell you an Enterprise Root CA Server system which _can_ install into client root CA stores. It's only $10,000 plus $100 per CAL for every client system the root CA is installed on.

Re:Coming soon in Windows 11

[Luthair]

They could remove the ability out of the non-enterprise editions. More obviously they could also add it to their licensing agreement with OEMs to prohibit changing them.

Re:Coming soon in Windows 11

[Joe_Dragon]

and then the people who use Linux based systems will just do it the free way and it's antitrust to block that.

Re:Coming soon in Windows 11

[sexconker]

No chance.

This "install your own root CA" trick is being used widely in corporate environments to allow proxies to snoop your HTTPS connections ; caused no end of trouble with clients using independent Firefox installs (Chrome uses the system certificate store, Firefox has it's own) navigating to our pages (with properly signed certificates) and being told they were a security risk.

Firefox told them it's an untrusted cert and a security risk because it's an untrusted cert and a security risk.
What you are doing is bad, evil, and wrong. And it's technically illegal under the DMCA as well, because you're breaking encryption. No, an employee agreement that says you can monitor their computer use doesn't get you past the DMCA.

Fuck you and all the places that do this. If I were asked to implement such a thing at my job I'd raise all hell and strike.

Re:Coming soon in Windows 11

[swb]

Yeah, but thanks to Justice Department "internal security guidance", there will be no anti-trust suit against Windows' new "root ca secure store".

Re:Coming soon in Windows 11

[Joe_Dragon]

What about the EU?

Re:Coming soon in Windows 11

[Dr_Barnowl]

Oh, believe me, I was deeply uncomfortable about the whole thing. I think I even reported it to the IT department as a security problem (the certs they were using were self-signed and not even remotely plausible as belonging to our organization at face value - I thought it was a rootkit). I made a point of telling everyone I liked not to do anything even remotely compromising on their work machine.

I've since left that workplace and control my own infrastructure.

I think it was the routine analysis of all our VoIP calls in a voice-processing SIGINT program that really creeped me out though. I only twigged to that one because we used to get the IT dept changelogs for operational reasons) and they were talking about moving it's storage folder to a different SAN.

Re:Coming soon in Windows 11

And it still won't help you when you go ssh tunneling, or any of a number of other VPN type proxying solutions. Sure, you can snoop the outer shell, but the inner encrypted payload - tough cookies

Re:Coming soon in Windows 11

Actually Firefox refuses to use the Windows Root CA Store because there's no way to determine if the data is from the default CA bundle that ships with Windows or if it's from an admin's manual install. Granted that does not prevent the corporate admin from spying on you as in the example above, but it DOES prevent the NSA scenario as described by the GP.

No, an employee agreement that says you can monitor their computer use doesn't get you past the DMCA.

This is the US were talking about. Clickwrap licenses are valid contracts and they prohibit other rights, First Sale for example. I'm sure there is language in their contracts that says the company owns the session you are using to communicate and they reserve the right to snoop in if they desire to, regardless of other legal obligations the user has about preventing any such snooping. (Basically the user is responsible for granting them access, and the user should be held responsible if a lawsuit were to be made over it, because the user should have been more careful about making sure they could uphold their legal obligations.)

Fuck you and all the places that do this. If I were asked to implement such a thing at my job I'd raise all hell and strike.

Then you'd very quickly find yourself out of a job, and be unemployable going forward. Not that I disagree with your sentiment, I'd whole heartedly welcome it, but that kind of anti-corporate anti-spying talk will not get you far as an admin in the current political climate.

Re:Coming soon in Windows 11

[Dr_Barnowl]

Indeed, I tunnelled all my web traffic through my router at home via SSH.

Re: Coming soon in Windows 11

No end of trouble or not those are the enterprise's machines to with as they see fit... a consumer laptop not so much.

Re:Coming soon in Windows 11

+1 Insightful, someone bookmark the parent post. Give it two years, Microsoft will capitalize on this.

Re:Coming soon in Windows 11

[queazocotal]

Exactly why should you (as an employee) have any rights to privacy on a computer you do not own, and agree to being monitored on?

Re:Coming soon in Windows 11

If you did that on a work machine, you probably gave them access to your home network as well. If they're intercepting all web traffic and voice calls, they probably have keyloggers on the computers, too. They sound like real scumbags, so you can't count on them leaving your home network alone...

Re:Coming soon in Windows 11

Where do you draw the line? Can a company put cameras in the bathrooms, since they own them and you probably agreed to them monitoring the premises?

Re:Coming soon in Windows 11

[Velox_SwiftFox]

Note: the urinal cameras are for scientific research purposes only

Re:Coming soon in Windows 11

[FrozenGeek]

You don't (usually) use the urinal for work purposes. You do use your employer's computer for work purposes. Personally, I use my employer's resources for absolutely nothing personal. I use my resources for absolutely nothing work-related. I keep a very strict separation between personal and work resources to minimize my employer's claim to anything I do outside of work. Certainly not an iron-clad guarantee, but it should help.

Re: Coming soon in Windows 11

[afidel]

Use Google authenticator with openvpn at home, keyloggers won't help them.

Re:Coming soon in Windows 11

[mlts]

In companies, using a device like BlueCoat, or another, and dropping the root cert into AD for it to be auto-trusted isn't unheard of.

However, I'm seeing this being done more and more with adware. In fact, when helping to clean some infections, when I was doing a quick forensic check before saving documents and wiping the box, almost all the machines with adware/scumware had a root cert added, and all traffic going through some local VPN or proxy. This is of course fixable, but if this is done, who knows what other stuff is installed, so it is best to just save critical stuff and start all over.

There is one way around the WPBT install (which has been around for almost a decade, mainly used to reinstall LoJack for Laptops), and that is to install an OS which acts as a hypervisor (ideally a non-Windows OS which doesn't give a hoot about WPBT), then do the rest of your work in a VM. Of course, this makes gaming almost impossible, but it is a way to mitigate the damage that WPBT installed software is able to do.

I personally don't mind software that an OEM wants to have installed with Windows, especially drivers for NICs and core items which are difficult to just fetch and download. However, the ideal would be to have an install/recovery image of Windows on a read-only flash partition, ideally with the ability to boot more than one Windows edition (so a machine that initially came with Windows 7, got upgraded to Windows 10 has the option to boot and install from either.) At the minimum, the user should be prompted and given the option to install each signed package, or just decline everything.

Re:Coming soon in Windows 11

For example people might share their work related opinions about other people and how to most efficiently deal with them in emails as a way to improve productivity. The "other people" may include Hitler 2.0 their boss or his son.

While some control freaks may have issues with it, the moment you make others use your hardware as communications device you have to acknowledge their right to privacy. You want to know everything going on on your hardware? Simply don't let other people use it.

Re:Coming soon in Windows 11

What you are doing is bad, evil, and wrong. And it's technically illegal under the DMCA as well, because you're breaking encryption. No, an employee agreement that says you can monitor their computer use doesn't get you past the DMCA.

The fact this CA cert is not and has never been used to intercept HTTPS connections not destined to one of our internal servers likely won't come into play in your thought process about my morality, but figured I would toss that out there anyway.

But I would argue charging $100/year/server (normal cert) or $500/year/domain (wildcard cert) is bad, evil, and wrong.

Why pay that kind of money when I can do it myself for the nominal cost of CA infrastructure I can host on a server I already run?
Especially when taken into consideration that the same CA is used to drive the smartcard login system to replace weak user passwords?

I see no reason to shell out $50k/year or more for an external third party to say who company management trusts or doesn't trust when clearly we are more qualified to make that choice and can do so without the additional expenditure.

Also no it is not illegal technically or otherwise. First sale doctrine plus all laws regarding property rights explicitly have always been upheld that one can do anything they wish to a device they purchased.

This is why the CA public cert is installed on the corporate computers owned by the corporation only. We would NEVER force that cert on an employees computer or property.

The public CA cert is however made available on the Intranet site for anyone that wishes to install it, but in not doing so (by choice or by not knowing it is there) will result in nothing bad other than a bunch of SSL errors to wade through and determine on your own if they are actual corporate sites or not.
If you wish to take on the responsibility of determining that on your own, just realize you are also taking on the responsibility if you fail at that task and send corporate owned data to an untrusted third party.

Re:Coming soon in Windows 11

You don't (usually) use the urinal for work purposes.

Well, I don't know about you, but I don't use the urinal "for fun". I do it because as a human I need to pee. So, the options are (1) use the urinal, (2) pee where ever I'm standing, (3) pee my pants. I'm guessing (2) and (3) would, for work purposes, be frowned upon. So, clearly using the urinal as the "correct" option is for work purposes.

Re:Coming soon in Windows 11

[roadsonblarb]

No chance.

This "install your own root CA" trick is being used widely in corporate environments to allow proxies to snoop your HTTPS connections ; caused no end of trouble with clients using independent Firefox installs (Chrome uses the system certificate store, Firefox has it's own) navigating to our pages (with properly signed certificates) and being told they were a security risk.

Firefox told them it's an untrusted cert and a security risk because it's an untrusted cert and a security risk. What you are doing is bad, evil, and wrong. And it's technically illegal under the DMCA as well, because you're breaking encryption. No, an employee agreement that says you can monitor their computer use doesn't get you past the DMCA.

Fuck you and all the places that do this. If I were asked to implement such a thing at my job I'd raise all hell and strike.

Why would they use a certificate in a clean install? I've said this many times irl. I HATE DELL

Re: Coming soon in Windows 11

"Clearly", it would be for "personal" reasons, Captain Obtuse.

Option 4, hold it.
Option 5, pee at home/elsewhere on break

I'm sure there are others. There's very few jobs that includes pissing as job function or requirement.

(looking forward to insensitive clod remarks ;). )

Its only SuperFish-like

[Luthair]

if the private key is also available on the machine. Otherwise its another sort of questionable.

Re:Its only SuperFish-like

[Chmarr]

Reading the FA: yes, the private key is on the machine.

Re:Its only SuperFish-like

[Luthair]

I find it hard to tell from the article whether that is the case.

Re:Its only SuperFish-like

[thoromyr]

Not only is the private key supplied with the certificate, unlike with SuperFish the certificate can also be used to sign executables. Which means that the bad guys can now sign their malware with eDellRoot and gain unwarranted trust. It figures that slashdot doesn't provide a good link. Try http://arstechnica.com/securit...

Re:Its only SuperFish-like

FT techweekeurope.co.uk A:

"[W]e determined that they are shipping every laptop they distribute with the exact same root certificate and private key, very similar to what Superfish did on Lenovo computers,” said Kevin Hicks

FT theregister.co.uk A:

[Dell] installs a powerful root CA certificate, including its private key, on its Windows notebooks and desktops.

Re: Its only SuperFish-like

[mSparks43]

it's the case it has the private key and it is publicly available. my xps13 windows install bought Feb this year (which I rarely use) has it.

actually got a dell engineer coming round this week for an issue which I highly suspect is the result of this being abused.

Re: Its only SuperFish-like

[mSparks43]

it's the case. my xps13 windows install bought Feb this year (which I rarely use) has it.

actually got an engineer coming round this week for an issue which I highly suspect is the result of this being abused.

Re:Its only SuperFish-like

[theskipper]

Heh, as pointed out at the bottom of that article someone in Dell marketing needs to eat some serious humble pie:

http://www.dell.com/us/p/xps-1...
"Dell is serious about your privacy
Worried about Superfish? Dell limits its pre-loaded software to a small number of high-value applications on all of our computers. Each application we pre-load undergoes security, privacy and usability testing to ensure that our customers experience the best possible computing performance, faster set-up and reduced privacy and security concerns."

Youch.

Re:Its only SuperFish-like

[exomondo]

At least they're honest, apparently you get faster set-up, you get reduced privacy and you get security concerns.

Re:Its only SuperFish-like

Brilliant.

Test your system.

[khasim]

https://edell.tlsfun.de/

I don't think it is "accused" any more. It's pretty much proven.

Re:Test your system.

Thanks for the link. My 3 year old Alienware 17 R4 doesn't have the malicious certificate and it's running the OEM Win7.

Re:Test your system.

[Thumper_SVX]

It's worth noting that my Alienware 15 and my E7240 don't have any such cert on them. Both are still OEM builds... though the AW15 has been upgraded to Windows 10 while the E7240 is still running 7 (because I actually like to get work done on that :)

Just also tested my Venue 11 Pro and it DOES have the cert. Interesting.

I don't know it's a fact, I just know it's true...

[Kevin+by+the+Beach]

David Hannum is quoted as saying "There's a sucker born every minute" (In reference to a P.T. Barnum hoax)

People in the know will quickly repair this huge hole, unfortunately the masses aka "suckers" will leave this vulnerability open to the world.

Mission accomplished.

DUDE, you're getting a superfish certificate!

[JoeyRox]

Whoa, thanks man. Want to burn one after school?

Drucker said "Satisfy Your Customer"

[BoRegardless]

So Dell satisfies its corporate customers.

Dell is for cows.

You are all cows. Cows say moo. MOOOO! MOOOO! Moo cows MOOOO! Moo say the cows. YOU ROOTKITTED COWS!!

thinkpenguin, librem and eoma68 laptops

[lkcl]

... y'know... it has to be said, this is precisely why thinkpenguin (and other FSF-Endorsed hardware) do wipe-it-down-to-the-bedrock products, even to the extent of replacing the standard BIOS with coreboot, and why the purism librem laptop exists (and was successfully funded last year). but even there, the problem is that for the past 15 years all intel processors have to have an RSA-signed bootloader that goes into EEPROM on-board the processor, where there's absolutely no chance of obtaining the source code for that proprietary firmware blob. you have absolutely no idea what goes into that bootloader, but it's already been demonstrated that your laptop - and your desktop - can be woken up by external network signals - without your consent or knowledge - *even when you powered them down*.

the only possible solution here is... to not use intel (or AMD) processors. and that opens up a whole can of worms, which is why i've been sponsored to make an upgradeable laptop. if any one CPU is ever found to have problems, the whole CPU Card can be popped out and replaced... *without* having to throw away the entire laptop.

designing a laptop from the ground up so that its main CPU module can be replaced... only two years ago that could have been said to be "total paranoia". now we have the kinds of stunts being pulled by Dell, Lenovo and the NSA which were only previously believed to *potentially* be carried out...

Re:thinkpenguin, librem and eoma68 laptops

[hairyfeet]

Sorry but you are incorrect, AMD doesn't have any nasty shit in the CPU. There was talk a couple years back of adding an ARM DRM chip for those business customers that wanted a TPM style system but nothing ever came of it.

You can now happily go buy an AMD CPU based system which they opened the docs on a couple years back (they even go so far as to pay devs on both the Coreboot and FOSS driver teams so to speed up support of their chips) and as far as their APUs are concerned the only part of the docs you cannot have are the parts concerning HDMI HDCP, which is property of Intel and thus cannot be shared. Of course if you do not use HDCP protected content you won't have to worry about it as the whitepapers show the AMD APUs simply use a small "shim" to protect the memory on a part of the GPU normally used for graphics, as unlike Intel they do not dedicate silicon for HDCP.

BTW if you want to make an "upgradeable" laptop your best bet would be AMD socket AM1, it uses less than 25w under load for the fastest chip, has a nice Radeon GPU capable of 1080P over HDMI for all 4 chips in the line, and is very affordable with the most expensive (2.07 Ghz quad APU) only costing $54, which means you could make a really nice affordable laptop with those chips rather easily.

Re:thinkpenguin, librem and eoma68 laptops

[queazocotal]

That's not enough, to a large degree.
It must also be designed so that no peripheral outside of the CPU is trusted, if you're going that far.
Hard drives, network peripherals, ... all today have CPUs of their own, usually with entirely secret firmware, and often access to the bus.

Re:thinkpenguin, librem and eoma68 laptops

[mlts]

For home/SOHO usage, what also might help is adding a router and virtualization. The router ideally should be a small PFSense appliance with snort on it.

Virtualization helps because it keeps things isolated. Nothing is perfect (as in theory, the hypervisor can be compromised), but with a layer separating the desktop OS from the bare metal, and an active gatekeeper that can easily block stuff phoning home, this will help with mitigation.

For example, web browsing. Running the day to day browser in a VM [1] will go far in ensuring that a compromise via the browser won't go far. Since most browsers will sync bookmarks, a complete rollback to a known good snapshot every so often (Patch Tuesday, for example) will not waste much time.

Later companies/enterprises are a different story. However, they have a lot more tools, such as VDI, better IDS/IPS monitors, and so on.

On a side note, the parent poster has presented a good argument about why a desktop should be AMD. Definite food for thought.

[1]: Running the VM on a SSD will help performance out, otherwise the main OS and the VM will always be fighting for control of the drive heads.

Re:thinkpenguin, librem and eoma68 laptops

the only possible solution here is... to not use intel (or AMD) processors.

ARM is even more blob-ridden, and the problem is not solved by an elegant CPU design anyway, because backdoors can be inserted anywhere in the manufacturing chain. Extremely subtle bugs can offer total control. The bugs can be inserted, or activated, in a serialized way, and when hardware trickery is involved it's almost impossible to tell two devices are identical.

Three things give, I think, a little hope:
  - repeatable builds for Tor, Firefox. If something like repeatable builds existed for hardware, so that we could verify two chips were identical, we could have more confidence in hardware. No such thing exists, but maybe it could. For example, we could test that a device is an FPGA, then test that it's size is something between x and y (ex. by power consumption), then load a serialized, obfuscated core into it---there is some random seed to the layour function---that communicates outside the chip over encrypted links, and claim we are safe because an FPGA of size y would be too small to subvert the core. Maybe there is a better way.
  - TPM. ex., U2F fobs don't prevent you from getting pwned, but allow you to recover once you are pwned. TPM disk encryption in ChromeOS makes password changes and wipes meaningful and rate-limits password guess attempts, while Ubuntu or Android disk encryption can be unlocked with an old password using an old disk image or SSD firmware rollback, and can be attacked offline. A small, verified computer attached to a large, unverified one can provide a few meaningful promises.
  - simple, useful devices. Many people look at computer history museums and go wowzer over their phones, "I can't believe I have a more powerful machine in my pocket." I'm more amazed by the lack of connection between usefulness and computing power. In many ways old machines were more useful. Executives are starting to carry dumbphones to avoid distraction and needless complexity. Possibly the repeatable-build-like verification techniques couldn't apply to a modern Intel CPU but could apply to a much simpler and slower computer that was still useful, if we chose to build something far beneath our capability.

less revolutionary stuff strikes me as amateur hardware design. I think it's a good student project, but not a real solution. You might be better off either selling out to a real job where you do real hardware design and are paid properly, or going into research that's impractical for now but scrapes toward a real solution.

Re:thinkpenguin, librem and eoma68 laptops

[AmiMoJo]

Presumably that's only for the on-board LAN. Just use a PCIe LAN card instead (non Intel chipset).

Not just laptops

[INTPTT]

It's not just laptops. We confirmed it was on a Dell Precision 5810 desktop workstation, purchased early May 2015.

Re:Not just laptops

So they're doing this on both Dell consumer AND corporate machines? Guess I won't be recommending or buying any new Dell systems anymore..

Two down...

[MrKrillls]

Guess I shouldn't trust Lenovo or Dell for new machines.

Re:Two down...

[Intron]

Yeah. Good thing we can still trust Huawei.

You're surprised

And even that is not surprising.

Self-signing root certificates on laptops ..

[nickweller]

What impact would these self-signing root certificates have on security?

Re:Self-signing root certificates on laptops ..

[Fnord666]

What impact would these self-signing root certificates have on security?

All root certificates are self signed. It's just a matter of whether you choose to trust them or not. Your system comes with a bunch of certificates that it trusts as root certificates. Dell just added an extra one to the mix.

Re:Self-signing root certificates on laptops ..

The problem isn't that it's self-signed - it's that they gave it the maximum possible authority and shipped it *with the private key included*, rather than just the public key.

So, now *anyone* on the internet can sign their malicious web traffic, application, or driver with Dell's key and it will be trusted by all affected Dell computers. This would allow, for example, impersonating financial or e-commerce websites to steal people's credit card numbers or other personal data.

When Lenovo did the same thing a while back, they were using it to spy on and inject ads into people's web traffic - even supposedly private encrypted sessions.

Re:Self-signing root certificates on laptops ..

[nickweller]

Brilliant reply, I take back anything negative I've ever said about Slashdot and the commentators.

Public key pinnng

[manu0601]

Even HTTP Public Key Pinning (HPKP) is not a solution against this kind of mess, since intercepting software could alter the Public-Key-Pins header.

Re:Public key pinnng

[cbhacking]

It would work with a preloaded pin list similar to the HSTS preload list, for sites that should use HTTPS even on the first visit. It would also work for sites like Google properties (in Chrome) or Mozilla properties (in Firefox) where the expected cert is baked into the browser even in advance of HPKP deployment.

It would also work if nobody was intercepting your traffic the first time you visited the site. You would only be in danger if you were being intercepted every single time, including the first time, with this rogue certificate. That's a relatively low-risk threat, though the possibility of such interception does exist and this is why HSTS has a preload list.

But yes, this kind of pwned-before-you-even-start thing is Really Bad.

Private Key?

[Fnord666]

So not only do these machines have a preinstalled, Dell generated root certificate, but they included the private key? WTF? The private key for a root certificate should only exist on a locked down, air gapped computer in an access controlled environment. The fact that this was included is downright scary.

A good tinfoil hat wearing individual might conclude that one of the TLAs told them to install a system that could automatically load signed executables without user's knowledge. In a fit of defiance they created this certificate knowing that it would be discovered and would call into question the reasons behind it.

Key Revocation

[Fnord666]

Well, the good news is that with the private key available I believe that anyone could generate a revocation for this certificate. First person to revoke this key on every major key repository wins a bag of gummy bears!

So wait..

[x] Fuck Windows, it's spyware
[x] Firefox is still best browser
[x] Fuck Dell
[x] Fuck Lenovo
[x] Fuck Ubuntu (and Redhat)

Yep. Said it all before, saying it again now.

Get with the times noobs.

The CA secret cert is also present

[gweihir]

According to heise.de, just marked "non-exportable" (sorry, no English link):

        http://www.heise.de/newsticker...

Person that reported this initially:

    https://www.reddit.com/r/techn...

Apparently being non-exportable is no protection whatsoever, and people are already offering the CA cert for download, which then lets everybody sign for this CA.

It is hard to display more fundamental incompetence with regards to certificate handling.

Contact your Dell reps!

Let them know that this is unacceptable. I'm posting as AC because I sent this article to them.

1. Fire the people responsible (not the low level employees following orders)
2. Public apology

Removal Instructions

[Thumper_SVX]

1. Go to your Services... either run "services.msc", "compmgmt.msc" or "Open Services" from Task Manager.
2. Stop the Dell Foundation Service
3. Browse to c:\Program Files\Dell\Dell Foundation Services directory and delete the Dell.Foundation.Agent.Plugins.eDell.dll file
4. Launch Certificate Manager by running "certmgr.msc"
5. Browse to "Trusted Root Certificates \ Certificates"
6. Locate the eDellRoot certificate and delete it.
7. Restart your Dell Foundation Services. Voila... doesn't come back after a reboot.

Well, if you choose to buy from the Chinese army..

you should hardly be surprised to get something that's been "weaponized", and particularly that it's not been thus modified in your favor.

DOH!

It's a bit like slashing your own wrist and then complaining about the bloody mess.

Lenovo is just more of the residue that you get when an American company cashes-out and sells its manufacturing to a Chinese "company" that is really just a shell of the Communist Party and it's People's Army... it's a maketing firm's western-sounding name slapped onto something so opaque and so intertwined with an opaque, hostile, totalitarian government that you're more of an idiot to trust it than you'd be to trust the NSA to be your ISP.

Nice superfish-like

i'm wan't superfish-like :D .
  LMJ-Likerz