
Dell shipping laptop with rogue self-signed root CA - cstross
https://np.reddit.com/r/technology/comments/3twmfv/dell_ships_laptops_with_rogue_root_ca_exactly/
======
tedunangst
Karmic. Straight from Dell's website:

Dell is serious about your privacy

Worried about Superfish? Dell limits its pre-loaded software to a small number
of high-value applications on all of our computers. Each application we pre-
load undergoes security, privacy and usability testing to ensure that our
customers experience the best possible computing performance, faster set-up
and reduced privacy and security concerns.

~~~
eric-hu
This raises an interesting paradox to me. How would the people writing the
marketing copy for any product that was supposedly Superfish-resilient
actually know that it was?

Is the solution to simply not have marketing around such technical details?
_Is there a solution?_

~~~
chimeracoder
> This raises an interesting paradox to me. How would the people writing the
> marketing copy for any product that was supposedly Superfish-resilient
> actually know that it was?

A big difference is that Dell's inclusion of the private key appears to be a
(major) screwup by someone with technical responsibility[0], whereas Superfish
was downright intentional and involved people all over the company.

In that light, this doesn't really appear to be a paradox - no company should
ever market themselves as being immune to mistakes and/or breaches. But it's
pretty straightforward to live up to promises that you won't _intentionally_
compromise all security whatsoever just to make a few ad dollars (which is
what Lenovo did).

[0] As far as I can tell, there's no evidence that Dell benefits in any way
from shipping the private key, so I'm going to invoke Hanlon's razor until we
discover otherwise:
[https://en.wikipedia.org/wiki/Hanlon%27s_razor](https://en.wikipedia.org/wiki/Hanlon%27s_razor)

~~~
cm2187
But it would be a screw up in Dell's core activity. It's like Intel screwing
up the design of the Xeon. I would be surprised if this didn't get approved by
many people before going ahead.

~~~
yohui
At least on the consumer end, I'd say Dell's "core activity" is hardware, not
software. This is more like Intel selling software that can screw up your
computer: [https://www.mcafee.com/](https://www.mcafee.com/)

~~~
cm2187
Hardware and the drivers associated.

------
jkot
Seems like a way to bypass signed drivers. Sending drivers to Microsoft for
signing takes a few weeks and costs money. I bet this certificate was used on
prototypes, but was not removed from final version for some reason.

Source: I worked for hardware vendor and wrote windows drivers.

~~~
ryan-c
I have seen driver installers that just install their own CA. A particularly
clever one generated a CA at install time, signed the driver, deleted the
private key, then installed the driver, however this relied on internet access
during install to timestamp the driver signature.

I wonder if this works for kernel mode drivers?

~~~
pjc50
This is (a) hilarious and (b) a massive security hole in the whole concept of
signed drivers.

------
ctz
Here's a test website from Kenn White:

[https://bogus.lessonslearned.org/](https://bogus.lessonslearned.org/)

~~~
cpach
What does the test site do?

~~~
finnn
it's got a certificate signed by the bogus certificate authority that dell
bundled. So if your browser accepts the certificate (eg shows a green https
instead of preventing the page from loading and displaying a warning) then the
CA is installed and trusted on your machine

------
guelo
On Android I only buy and recommend Nexus devices because of crapware, privacy
and security concerns. It might be a good time for Microsoft users to switch
to that same strategy and only buy Microsoft devices, since the introduction
of Microsoft's own laptop makes it possible. It's also pretty much the Apple
model.

~~~
okuli
Microsoft sells laptops from different manufacturers with Signature Edition.
Those laptops don't have any junk.

~~~
criddell
> Those laptops don't have any junk

I bought a Signature Edition Thinkpad Yoga S1 from Microsoft and it didn't
have any junk on it, except in the registry. I think all they do is open the
machine, uninstall all the non-Microsoft stuff, then ship the machine. A clean
install wouldn't have registry keys for Evernote (for example).

I think I would only buy a Microsoft Surface machine at this point. The
hardware is very good and they aren't junked up.

------
stronglikedan
I have a Dell M3800 that was purchased in March and has this cert. I am not
well versed in this area. What do I do? Can I just delete it from the
"Certificates" snap-in in MMC? (And should I?)

~~~
stronglikedan
I'm replying to my own comment, because I can no longer edit it. This is a
response that I received from reddit [0]. I haven't attempted it yet, but I
wanted to include it here for completeness (and opinions):

> You can safely delete it from both the root and personal certificate stores.
> You will also need to remove the eDell plugin entirely otherwise the
> certificate will simply be reinstalled. If you have "Dell Foundation
> Services" listed in your programs you can uninstall it, otherwise you'll
> need to look for "Dell.Foundation.Agent.Plugins.eDell.dll" and delete it.

[0]
[https://www.reddit.com/r/tech/comments/3tzwuv/dell_does_a_su...](https://www.reddit.com/r/tech/comments/3tzwuv/dell_does_a_superfish_ships_pcs_with_easily/cxauqf5)

~~~
stronglikedan
Here's the removal process from dell (PDF):
[https://dellupdater.dell.com/Downloads/APP009/eDellRootCerti...](https://dellupdater.dell.com/Downloads/APP009/eDellRootCertificateRemovalInstructions.pdf)

------
Animats
Take a look at the screenshot of the certificate store. Why are expired certs
from 1999 in there? What's that "NO LIABILITY ACCEPTED" cert? Do you really
have the private key for the self-signed cert?

This is worth a vulnerability report to US-CERT, and more publicity.

~~~
clwg
Those weird trusted root CA's are preloaded by Microsoft
[https://support.microsoft.com/en-
us/kb/293781](https://support.microsoft.com/en-us/kb/293781)

------
philh
[1] suggests that this can be used for code signing, but not to MITM network
requests, which makes it bad in a different way to superfish.

[1]
[https://np.reddit.com/r/technology/comments/3twmfv/dell_ship...](https://np.reddit.com/r/technology/comments/3twmfv/dell_ships_laptops_with_rogue_root_ca_exactly/cxa00fo)

~~~
diafygi
Right, but the private key is also included(!), so anyone can now sign code
that will be trusted by these computers.

Edit: Confirmed can issue ssl certs.
[https://mobile.twitter.com/_xpn_/status/668745489823768576](https://mobile.twitter.com/_xpn_/status/668745489823768576)

~~~
cpach
Why in the world did Dell ship the private key?

~~~
Swannie
So that a program could use this Cert + Key to create arbitrary signed certs
for google.com, facebook.com, etc. etc.

This is what the Superfish software did.

------
01Michael10
One should always do a clean install of Windows with a OEM disc when buy a new
PC. You can avoid a lot of issues that way...

~~~
gootdude
Lenovo uses Microsoft Windows Platform Binary Table to install bloatware,
which gets around any kind of clean install/reset.

Clean install for Windows means nothing when you have shady vendors utilizing
this mechanism.

~~~
eridal
What about installing an intermediate linux system?

Like

    
    
      1. start with window pre-installed
      2. install any linux distro, fully overwriting the OEM
      3. re-install windows, from microsoft 
    

I'd say just stop at step 2 ;) but I can understand that not everybody can do
this (eg: work computer) but want a clean OS.

will this method work to remove such bloatware?

~~~
morcheeba
This won't work because the firmware will write a file to your hard drive with
the bloatware. It's scary that firmware will modify my filesystem - lots of
damage could happen here.

Also, instead of step 2, it would make more sense to boot linux on a usb stick
and use dd to erase the hard drive -- this is more complete than installing
another OS... but still useless if the firmware is working against you.

~~~
lmz
In this case Windows will write to your filesystem, not the firmware. Of
course there is nothing stopping a firmware from writing to the disk before it
loads any OS, but that is true with any OS not just Windows.

------
nailer
Related: how to control the SSL CAs your browser trusts, on nearly every
device (except iOS 9).

[https://news.ycombinator.com/item?id=10615829](https://news.ycombinator.com/item?id=10615829)

------
devnull42
Regardless of why this is here, negligence or cost cutting, this is pretty bad
and leaves the systems pretty open.

------
Spooky23
I love the Dell response: "We have top men working on it."

~~~
dantillberg
Can you link to where you see this? I don't see that quote in TFA.

~~~
Spooky23
I think the mods changed the link. The original was a blog post, and one of
the comments was from Dell and essentially said "We are Dell and we like
security. Our experts are furiously working on security. We'll let you know
what they come up with."

------
guelo
This should be the NSA's job, keeping us safe from all the corporate and
foreign government cyber espionage that is completely out of control. In
reality they don't give a shit because they like to free ride on top of all
the other backdoors as well as the ones they create.

~~~
strictnein
The NSA's job does entail keeping government communications secret and secure.
So whole buildings of people do "give a shit" about stuff like this.

~~~
flyryan
Since Dell holds a ton of government contracts and a good amount of government
computers are Dell, you can guarantee they most DEFINITELY "give a shit" about
this.

------
giancarlostoro
One thing to note is, if you have your own Windows disks (some organizations
might have) or if you use Linux this might not really matter to you. I wish
laptops and desktops were sold without Operating Systems by the major
companies, outside of server space.

~~~
eager_noob
There are quite a few low end laptops available in India without any pre-
installed OS. Most people who buy these end up using some pirated copy of
windows which is either left unpatched and vulnerable or it comes with some
form of malware already installed. It hasn't been great for security or
privacy sadly. No one I know uses linux on them or forks out any money for a
Windows license which they deem to be too costly.

------
Avitas
It's hard for me to imagine a company as big as Dell making such a bone-headed
blunder.

~~~
astrodust
Volkswagen made a much bigger blunder, as you might have heard. Sometimes
companies fail to comprehend the consequences of their actions.

~~~
lazaroclapp
In that particular case, it's likely less "fail to comprehend the consequences
of their actions" and more "underestimate the chances of being caught"...

------
rasz_pl
Off topic: I dont reddit that much, so this is a first time I see this banner
(specifically crafted to not be copyable!)

> You have been linked to a read-only version of this subreddit. Please
> respect the community by not voting. Please do not vote or comment when you
> come from external subreddits.

wtf?

~~~
WatchDog
When you add the np subdomain prefix to a reddit domain, it links to a non-
participation version of the page. The idea is that it helps to reduce
"brigading", as in if a thread is linked to by an external party or another
subreddit, the thread is not so easily derailed from its original context and
audience. Of course if you actually want to participate in the thread, its not
difficult to simply remove the prefix. But it might make some people think
twice. NP links are mainly used by inter-subreddit references, as "brigading"
is against the reddit rules, and can result in a subreddit being banned. I can
see why it all seems a bit ridiculous.

~~~
rasz_pl
Thank you for the explanation. It does look very tinfoil hat for the outsider
with no knowledge of what it is.

------
NickHaflinger
Test for eDellRoot certificate ..

[https://edell.tlsfun.de/](https://edell.tlsfun.de/)

------
doggydogs94
The self-signed certificate is probably something a developer at Dell was
using for testing and forgot to delete.

