Second Dell backdoor root cert found A second root certificate has been found in new Dell laptops days after the first backdoor was revealed. The DSDTestProvider certificate was first discovered by Laptopmag. It is installed through Dell System Detect into the Trusted Root Certificate Store on new Windows laptops along with the private key. Dell has been …
It was another accident. Honest. It's just another of those "internal" cert faking kits you've been reading about surprisingly frequently lately. For "testing" only, honest. It must have accidentally fallen into your box at the depot. We have now implemented industry leading robust state of the art safeguards to guarantee we'll never be caught doing exactly this ever again, again, and eNthusiastically eNcourage you to continue eNjoying your eDell eXperience.
We take your security and privacy. Seriously.
Thankyou.
--Dell PR
I do not quite see your point. The problem is not Dell (or Lenovo) hardware. It is the complete and utter incompetence in bundled software. That is common across the board in most hardware manufacturers. They "Do Not Get It". It does not matter what you do in software - you may walk on water, feed the hungry, etc, a geezer in the hardware department which has managed to reduce the number of capacitors on the board by one will get a bigger bonus and more kudos than you.
So rather unsurprisingly, they suck bricks in software (something which makes me wonder about the wonderful EMC deal as storage == 90% + software).
The solution to this is not to blacklist their hardware. It is to wipe their software and install from retail media. C'est la vie - it is something you have to budget for when buying a PC if you want it to work well.
This post has been deleted by its author
Can sort of see your point regarding Dell. Lenovo however was caught embedding its malware in the "secure (sic joke) boot" firmware, which was therefore an altogether more insidious and pernicious attack, effectively perpetrated in hardware. It remains to be seen whether there'll turn out to be a (hard/firm)ware element in Dell's attempted machinations but the intent is clearly there. So I'm with SR on this. Lenovo & Dell have both proven themselves unfit for purpose.
The problem is the "Dell Product". Subtle difference. The only* way to buy "Dell Hardware" is to buy "Dell Product".
Presumably when a "Dell Product" has been signed off the production line for QA purposes it is the overall product that has been signed off, not just the hardware. It is conceivable that the product may fail if it is stripped of its' software, then re-initialised and alternative software rolled out upon it.
If this were to happen and you ring Tech Support to say "my system is not working" the techies will say "OK, let's install the factory supplied software. Right, now does that work?" "Yes then I'm sorry sir/madam, but this is a software problem." If a Dell engineer (sub-contracted to Unisys in my experience) were to come down to fix your hardware at your premises then they would do exactly the same thing.
*Except if Dell ships non-selling product through a "remainder-broker" where you could potentially buy "Dell Hardware" without the froth. But if something ships through that channel, would you be interested in buying it anyway?
"If this were to happen and you ring Tech Support to say "my system is not working" the techies will say "OK, let's install the factory supplied software. Right, now does that work?" "Yes then I'm sorry sir/madam, but this is a software problem." If a Dell engineer (sub-contracted to Unisys in my experience) were to come down to fix your hardware at your premises then they would do exactly the same thing."
This. Exactly this.
Steven R
Actually, if they give that much of a crap about their software, can the hardware be right behind them? Pinching pennies on parts is one thing but this software problem indicates that the company has some serious issues that they need to address and their public response has been less than upfront.
I would knock them off the supplier list if I had that power where I work. We IT bods have enough on our plates without having to play games with suppliers.
Suddenly building your own servers is starting to look like a good idea again, if you appreciate actual security and must use Windows.
Or at least creating custom images from scratch and then standardizing on those rather than the canned OS that the manufacturer provides. Unless the manufacturer includes this sort of malware in their equipment's drivers... You are right, cross them off the list.
"the canned OS that the manufacturer provides"
the canned OS that the manufacturer provides sells you.
FTFY
Why do corporate purchases include a pre-installed WIndows OS + licence when the first thing they do is re-image them? Does the volume licence they pay mega££££ for require an OEM licence be attached to the PC or something?
"If I were a black hat hacker, I'd immediately go to the nearest big city airport and sit outside the international first class lounges and eavesdrop on everyone's encrypted communications," Graham says."I suggest international first class, because if they can afford US$10,000 for a ticket, they probably have something juicy on their computer worth hacking."
Good luck with that! Personally I'd be more inclined to lurk at the smeggiest end of coach. This *is* Dell shit we're talking about.
Senior managers don't tell devs to do brain-dead things like bundling private keys with root certificates. Maybe they're responsible for trimming software engineering budgets to the point where they can only afford to employ monkeys, but it's the monkeys committing these particular cock-ups.
Dell was the first place I encountered ageism. "The average age here is 27, do you really think you could fit in?" I was only 32! "Er, I find a wider range of ages makes for a more efficient environment." Thievin' eejits never even paid my promised travel expenses, and Limerick is not exactly a tourist destination unless you're a midge.
I told this to every subsequent, and invariably older, boss since then and they all dropped Dell.
This post has been deleted by its author
... and it is not like there would be private key was something encrypted inside executable or hidden elsewhere. It is in plain sight, scroll to 1:00 - 1:03 , you will see at the bottom of root certificate "You have a private key that corresponds to this certificate". Wow, my very own CA root!
There is one thing missing - it could be that the certificate is different on each Dell computer, since we have only seen video on one machine. Well, yeah, I am not counting on this. This was obviously made by clueless morons, under charitable assumption that malice is not involved.
Sometimes (goes in phases) I get asked why we go to the bother of creating our own Gold Image, and rebuilding every machine that we use when they are delivered with the latest and greatest O/S, trial software and up-to-date drivers for the modern wiz-bang add-on toys that everyone wants to play with...
Then this sort of thing happens, and I get to point and laugh. Thanks boys, for helping justify good security practice!
Too easy...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
