Dell is serious about your privacy
Worried about Superfish? Dell limits its pre-loaded software to a small number of high-value applications on all of our computers. Each application we pre-load undergoes security, privacy and usability testing to ensure that our customers experience the best possible computing performance, faster set-up and reduced privacy and security concerns.
Is the solution to simply not have marketing around such technical details? Is there a solution?
A big difference is that Dell's inclusion of the private key appears to be a (major) screwup by someone with technical responsibility, whereas Superfish was downright intentional and involved people all over the company.
In that light, this doesn't really appear to be a paradox - no company should ever market themselves as being immune to mistakes and/or breaches. But it's pretty straightforward to live up to promises that you won't intentionally compromise all security whatsoever just to make a few ad dollars (which is what Lenovo did).
 As far as I can tell, there's no evidence that Dell benefits in any way from shipping the private key, so I'm going to invoke Hanlon's razor until we discover otherwise: https://en.wikipedia.org/wiki/Hanlon%27s_razor
I'm not really sure I'd say that this is comparable to Intel screwing up the design of the Xeon.
But either way, there's a big difference between "we made a serious technical error, and nobody at the company caught this" and "we intentionally compromised our entire product because advertisers were willing to pay us, and nobody at the company stopped this".
If you want a fun corporate PR check out Microsofts http://niewspierajhakera.pl/
This is a Polish anti piracy campaign equalling everyone who calls himself a Hacker to ISIS terrorist and pedophile :/ Thats right, they uploaded YT clips showing "hackers" in balaclavas collecting child porn. At the very same time Microsoft openly calls polish makers Hackers in another part of corporate portal.
They just write whatever sells.
Source: I worked for hardware vendor and wrote windows drivers.
I wonder if this works for kernel mode drivers?
For example, the XPS 15: https://www.microsoftstore.com/store/msusa/en_US/pdp/Dell-XP...
I bought a Signature Edition Thinkpad Yoga S1 from Microsoft and it didn't have any junk on it, except in the registry. I think all they do is open the machine, uninstall all the non-Microsoft stuff, then ship the machine. A clean install wouldn't have registry keys for Evernote (for example).
I think I would only buy a Microsoft Surface machine at this point. The hardware is very good and they aren't junked up.
For that price I'd buy a gamer laptop and just do a clean install.
Noticed this while I was installing the MITM cert for CharlesProxy.
Mission Impossible: Hardening Android for Security and Privacy
> You can safely delete it from both the root and personal certificate stores.
You will also need to remove the eDell plugin entirely otherwise the certificate will simply be reinstalled. If you have "Dell Foundation Services" listed in your programs you can uninstall it, otherwise you'll need to look for "Dell.Foundation.Agent.Plugins.eDell.dll" and delete it.
This is worth a vulnerability report to US-CERT, and more publicity.
Edit: Confirmed can issue ssl certs. https://mobile.twitter.com/_xpn_/status/668745489823768576
This is what the Superfish software did.
Of course if they had known better they probably would not have shipped it with the private key protected by such a obvious and weak password.
Clean install for Windows means nothing when you have shady vendors utilizing this mechanism.
I mean, come on, Microsoft, what were you thinking? Vendors gonna vend, so you had to know how this "feature" was going to be used.
1. start with window pre-installed
2. install any linux distro, fully overwriting the OEM
3. re-install windows, from microsoft
will this method work to remove such bloatware?
Also, instead of step 2, it would make more sense to boot linux on a usb stick and use dd to erase the hard drive -- this is more complete than installing another OS... but still useless if the firmware is working against you.
Microsoft really needs to reel in the bad behaviour on the part of the OEMs.
It cost Microsoft many billions of dollars, almost had the company broken up, and put them under close Department of Justice supervision for a decade. I don't think Microsoft will risk anything like that again....
Microsoft was also prevented from charging the major OEMs different prices, which was its main way of rewarding OEMs for doing installations the way Microsoft wanted.
Microsoft had been forced to sign a consent decree in 1995, which prevented it from tying new products to the OS but specifically allowed it to add new features to the OS. It therefore didn't have much choice about its arguments, though (like every other OS supplier) it obviously wanted to include a browser. Equally obviously, delivering a free browser as part of the OS was good for consumers, which is why Microsoft won the browser bundling case on appeal.
Microsoft had also componentized the browser so that different functions could be used by other programs, which to some extent, did make it part of the OS. (Much of the anti-trust case argument on that topic was phenomenally stupid.)
>It was also forcing PC manufacturers to pay a royalty for every PC sold, whether or not it was bundled with DOS or Windows
Don't think so. That was a deal offered to some OEMs, but as far as I know, it was never forced on anybody. In any case, the US Justice Department banned the idea in 1994. I tend to think 21+ years is a bit of long time to hold a grudge about something that was killed before it took off.
> Digital Research -- the company Microsoft essentially stole DOS from, but that's another story
Well, DR screwed up massively by refusing to sign a deal with IBM, then by charging too much for DR DOS, and then Apple screwed it in a court case over the UI in DR GEM. Either way, DR was dead long before the Microsoft anti-trust suit.
Depends on what you mean by "forced", right? If a PC manufacturer's choice is between not selling PCs with Windows pre-installed and having to pay a per-PC license for Windows whether Windows is installed or not, then effectively it's forced. And this was likely in play for years, but covered by commercial in confidence.
> DR screwed up massively by refusing to sign a deal with IBM
Sure but that's a different issue entirely.
As a result of the litigation over 86-DOS/QDOS (which MS licensed from Seattle Computer Products) Seattle Computer Products, DR-DOS, IBM, and Microsoft ended up with the right to ship DOS. Microsoft acquired SCP's license for chump change via a dubious legal maneuver whereby it was forced to sell its license to MS rather than to anyone else for whatever they wanted to pay (I forget the detail, it's documented in one of the Gates biographies). DR and IBM continued to sell technically superior versions of DOS, but IBM's was bundled with IBM-branded hardware and DR was crippled by Microsoft's licensing contracts which became particularly effective once Windows 3.x came out.
> 21+ years is a bit of long time to hold a grudge
This is only the tip of the iceberg of things MS's anti-competitive behaviors. Probably its most pernicious behavior was "dumping" on rivals (cross-subsidizing products such as Access until rivals went out of business) and actively sabotaging third party software (e.g. -- allegedly -- deliberately breaking Lotus 1-2-3 on DOS 2.x and -- well-documented -- breaking Borland compilers in the Windows 95 betas (which might well have continued into the release version had it not been caught red-handed).
I have a HP laptop with a Windows 7 license key under the battery and I can only install Windows 7 from HP recovery disks.
Of course, I opted to say "fuck you" and torrented a Win7 installation disk and activator, but that is not an option most of the time.
> We have posted instructions to permanently remove the certificate from your system here. We will also push a software update starting on November 24 that will check for the certificate, and if detected remove it. Commercial customers who reimaged their systems without Dell Foundation Services are not affected by this issue. Additionally, the certificate will be removed from all Dell systems moving forward.
> Your trust is important to us and we are actively working to address this issue. We thank customers such as Hanno Böck, Joe Nord and Kevin Hicks, aka rotorcowboy, who brought this to our attention. If you ever find a potential security vulnerability in any Dell product or software, we encourage you to visit this site to contact us immediately.
They are being asked about this over-and-over again, and they just spit back the same nothing response every time that is essentially what the person you replied to said.
Alas, no new ones for over 20 years.
I work at an Enterprise software company a few orders of magnitude smaller than Dell. The number of people we have who don't even begin to understand how SSL works beyond 'its encrypted now' is frustrating.
Dell can probably recruit better people than we can, but I don't know if they can recruit better people at volume, top to bottom. It only takes a couple of people to not understand what they are doing and 'just get it done' for this to happen.
> You have been linked to a read-only version of this subreddit. Please respect the community by not voting.
Please do not vote or comment when you come from external subreddits.