back to article Dell: How to kill that web security hole we put in your laptops, PCs

Dell has published a guide on how to remove the web security backdoor it installed in its Windows laptops and desktop PCs. This confirms what we all know by now – that Dell was selling computers with a rather embarrassing hole it in their defenses. New models from the XPS, Precision and Inspiron families include a powerful …

  1. The Nazz Silver badge

    Come back Sony

    all is forgiven.

    Hardly.

    My belief is beggared yet again.

    1. elDog Silver badge

      Re: Come back Sony

      As in Rootkit Sony is better than Dell is better than Lenovo?

      Haven't we all figured out by now that it is not the manufacturers who are implanting these vulnerabilities?

      1. Anonymous Coward
        Anonymous Coward

        Re: Come back Sony

        Haven't we all figured out by now that it is not the manufacturers who are implanting these vulnerabilities?"

        Those pesky TLAs can take their pick from probably >90% of the embarrasment of "trusted" root certificates installed on your machines - for which they hold copies of the "private" keys. They most certainly have no need to install yet another. They are also probably sufficiently competent to have not installed the private component.

        Pretty certain this particular débâcle is a wondrous display of cack-handed corporate pwnership and not state-sponsored.

        1. Wzrd1

          Re: Come back Sony

          "They are also probably sufficiently competent to have not installed the private component."

          Yet another example of crypto incompetence.

          Some are so inept as to not know what private and public keys are.

          1. Robert Helpmann?? Silver badge
            Childcatcher

            Re: Come back Sony

            Dell said it will post information on how to do this properly on its support website, and future machines will not include the dangerous root CA cert.

            However, they did not say what the replacement for this "feature" would be. Car manufacturers have to issue recalls for defective products, but Dell just gets to say sorry and post a self help guide. Yes, yes, it's a case of life and limb vs severe financial impact, but it seems as though Dell's fix is a little less than robust.

  2. Anonymous Coward
    Anonymous Coward

    Three Keys To Improved Computer Security.

    Ctrl-alt-Dell.

    1. Anonymous Coward
      Anonymous Coward

      Re: Three Keys To Improved Computer Security.

      What a bunch of Dildos.

      1. Ben Boyle

        Re: Three Keys To Improved Computer Security.

        Delldos

    2. Rick Giles
      Linux

      Re: Three Keys To Improved Computer Security.

      Ctrl-alt-Dell

      You can secure it in two "keys"... Install Linux

  3. VRSmiffSteen

    And now, we're reminded that Dell FU**ED EVERYONE - on purpose - when they sold the company for scrap value and went to hide on Mike's private Montana mountain and just snicker.... These people are vampires... Ooops, but that shouldn't surprise anyone... Dell is one of the largest panderers to the American Taliban (Rethuglicon party) on earth.

    1. Anonymous Coward
      Anonymous Coward

      Go home dad,

      You're drunk.

      1. Mark 85 Silver badge
        Pint

        Re: Go home dad,

        Let's not be judgmental of someone making his first post. Then again.... it's past beer o'clock on a Monday.

        1. Anonymous Coward
          Pint

          Re: Go home dad,

          Nice catch Mark. Duly upvoted you and AC's dad.

    2. Rick Giles
      Trollface

      And I suppose they're worse than the Demonazi party?

      1. David 132 Silver badge

        And I suppose they're worse than the Demonazi party?

        Don't blame me, I voted for Kodos.

        1. Anonymous Coward
          Anonymous Coward

          Governor Tarkin for President!

          He has the dryness we all demand.

  4. Pascal Monett Silver badge

    SOP when buying new laptop (with Windows, obviously)

    1) Go through the Services and disable all services allowing for remote control of PC. Why, in 2015, has Microsoft kept those enabled is beyond me.

    1) Uninstall all vendor software. It is always crap, and it bogs down Windows like an anvil tied to your foot. No vendor has ever made any update of any worth to the crap it puts on top of Windows. Now we know that, in addition, vendor software comes with vulnerabilities baked in. Get rid of all of it.

    2) Remove all promotional, demo, or time-limited applications. You already have paid for what you need to work with, you're not going to be forking over more for any of those.

    3) Install Windows Defender and AV of your choice. Check for driver updates. Run complete scan. Decrapify the abomination called the Registry.

    4) Backup.

    Takes about a day, but it's worth it - if only for the peace of mind.

    1. Anonymous Coward
      Anonymous Coward

      Re: SOP when buying new laptop (with Windows, obviously)

      My new computer ritual is easier:

      1) Insert pen drive containing Linux Mint.

      2) Turn on, and follow instructions.

      3) Copy home directory from old computer (optional).

      4) Enjoy.

      Takes less than half an hour, but it's worth it if you want to actually make use of your computer.

      1. Triggerfish
        Joke

        Re: SOP when buying new laptop (with Windows, obviously)

        1. Realise the stuff you need only runs on windows.

        2. Start finding ways to run them on Linux.

        3. Get lost trying to find easy and clear help.

        4. Go looking for glossary.

        5. Realise the working day is done, vow to install windows in morning and actually get paid for job you are supposed to be doing.

      2. Fatman Silver badge

        Re: SOP when buying new laptop (with Windows, obviously)

        <quote>

        My new computer ritual is easier:

        1) Insert pen drive containing Linux Mint.Remove OEM installed hard drive infected with Windows; and install new hard drive. Obtain Linux distro of choice and place on a flash drive.

        2) Turn on, and follow instructions.

        3) Copy home directory from old computer (optional).

        4) Enjoy.

        Takes less than half an hour, but it's worth it if you want to actually make use of your computer.

        </quote>

        5) When you have decided to replace with new, remove existing Linux hard drive, and reinstall the Windows infected original OEM hard drive.

        6) Dispose of old computer.

        FTFY!!!

        Side benefit, NONE of your PII is left on the old computer as you get rid of it.

        1. Justin Clift

          Re: SOP when buying new laptop (with Windows, obviously)

          As a thought, I've been mucking around with OpenBSD as a desktop over the last few days.

          It's pretty usable so far. XFCE window manager seems the same as on Linux, so not really noticing much of a difference (apart from a few command line utils needing alternatives or different options). It actually seems a lot simpler to use than anything with systemd on it. Python is still on there and working fine.

          Early days yet though, but I'm hopeful. ;)

    2. Doctor Syntax Silver badge

      Re: SOP when buying new laptop (with Windows, obviously)

      The trouble these days seems to be that you can do all that and the crap still comes back to haunt you.

    3. custardshark

      Re: SOP when buying new laptop (with Windows, obviously)

      Unfortunately in this case, even if you un-install Dell's 'Foundation services' the Dell 'eDell' root CA certificate remains in place.

    4. This post has been deleted by its author

    5. Primus Secundus Tertius Silver badge

      Re: SOP when buying new laptop (with Windows, obviously)

      @Pascal

      What we need is for Microsoft to make a clean copy of Windows available at no extra charge to anyone who buys a Windows computer.

      1. Vic

        Re: SOP when buying new laptop (with Windows, obviously)

        What we need is for Microsoft to make a clean copy of Windows available

        No such thing can exist whilst WPBT still does.

        N.B. I am not claiming that WPBT was used in this instance - only that it could be.

        Vic.

      2. Innocent-Bystander*

        Re: SOP when buying new laptop (with Windows, obviously)

        What we need is for Microsoft to make a clean copy of Windows available at no extra charge to anyone who buys a Windows computer.

        You mean like the image you get with the Windows Media Creation Tool? It looked pretty legit and clean Windows to me.

        I also requested physical media for my Dell Inspiron. The USB key they sent me also contained clean Windows 8 without any of the OEM crudware.

    6. Vic

      Re: SOP when buying new laptop (with Windows, obviously)

      Uninstall all vendor software

      Wouldn't work in this case - as seen in the previous article, once you remove this root CA, a simple reboot and it comes back.

      I hope this hurts Dell significantly. This sort of thing must be stamped out.

      Vic.

    7. jbuk1

      Re: SOP when buying new laptop (with Windows, obviously)

      Which remote desktop services would that be which are enabled by default or are you making things up?

      It's been disabled by default since XP SP2.

    8. Rick Giles
      Linux

      Re: SOP when buying new laptop (with Windows, obviously)

      1) Install Linux.

      2) Go to the pub.

    9. Spender

      Re: SOP when buying new laptop (with Windows, obviously)

      A more generalized SOP experience: Install a clean Windows from (say) MSDN. Realize that your laptop is fucked because you don't have any of the right drivers. Visit vendor site to acquire said drivers. And repeat....

  5. VinceH Silver badge

    Sony with their rootkit, Lenovo with Superfish, Dell with this...

    The obvious question is when will these companies ever learn*?

    * (to do these things in such a way that users will never discover their shenanigans)

    1. Anonymous Coward
      Anonymous Coward

      What makes you so certain that the ones we know about are ALL their shenanigans? Eh?..

      1. VinceH Silver badge
        Thumb Up

        I don't - that's why I didn't say "all" :p

        1. Anonymous Coward
          Anonymous Coward

          Perhaps the third word of your caveat should have been an additional "all" then. Somewhat perversely, the fact that you agree with my splaff makes me sad.

          Christ knows how much of this scheming could be passing the obvious-fuckup threshold.

  6. Malcolm 1

    Plug in alternative

    I assume this is a rather cack handed solution to the problem that they can no longer rely on activeX or Java browser plugins to deliver auto detect the service tag. So some genius decided that a MitM attack would be a convenient cross-browser fix...

  7. pogul

    Maybe I just don't have the SkillZ but...

    Can anyone please explain why they needed a root CA? It doesn't make any sense to me and certainly had nothing to with enabling them to phone home (surely?!)

  8. Woodgie

    And the instructions provided as a .docx.

    Wow, I mean a PDF or a bloody web page would have been too hard. A .docx, I'm... I'm...

    I'm a Mac user, I have my own problems.

  9. Anonymous Coward
    Anonymous Coward

    If only there were a way...

    ...to check a certificate's SHA hash against a DNS entry?

    1. Anonymous Coward
      Anonymous Coward

      Re: If only there were a way...

      How would you KNOW you have the authentic DNS entry?

      There has to be someone "trusted" somewhere and the whole system we have is carefully crafted so that there's a plethora of untrustworthy someones lurking around every corner. Good luck getting your fix for that ratified by the IETF and adopted by the "extremely" complicit US megacorps.

      1. Anonymous Coward
        Anonymous Coward

        Re: If only there were a way...

        You don't know that results returned from DNS are correct for definite, but at least DNS is publicly visible and it mitigates this problem somewhat (and all the other times that a variant of this problem happens).

        Defense in depth.

        1. Ben Tasker Silver badge

          Re: If only there were a way...

          Given that a locally trusted CA will override HSTS, once we actually see DANE being supported what are the odds that the same decision gets made, at which point it'd have been no help here either.

  10. Crisp Silver badge

    Surely this is criminal behaviour

    If someone sells me a lock for my front door knowing that it can be opened with a screwdriver, then they haven't sold me the secure lock that I thought I'd bought.

    It's high time that manufacturers were held accountable for the security holes that they leave in their products. These issues cost real people time and money to fix, and they can be so easily avoided with a little bit of diligence.

    1. Anonymous Coward
      Anonymous Coward

      Re: Surely this is criminal behaviour

      > It's high time that manufacturers were held accountable for the security holes that they *deliberately place* in their products.

      There, FTFY. :D

  11. GrumpenKraut Silver badge

    "...customer support experience"

    Spot the word that should rather have to be "monumental fuckup". It starts with an e.

    1. fajensen Silver badge

      Re: "...customer support experience"

      Customer == The NSA, then it all makes sense.

      Of course China, Russia et cetera are just Leechers.

  12. Anonymous Coward
    Unhappy

    Service?

    ...it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers.

    Whenever I read about companies wanting to service their customers, I automatically think of this definition :

    Service: the act of a male animal copulating with a female animal.

    I think that definition aptly fits their attitude to us these days.

  13. Anonymous Coward
    Facepalm

    Cancel that Dell contract we're buying Lenovo

    Oh wait.......

    1. Anonymous Coward
      Anonymous Coward

      Cancel that contract to buy desktop computers, we're going to the computer shop down the road and putting the parts together ourselves!

  14. Destroy All Monsters Silver badge
    Gimp

    Release brakes on Class Action Train

    Let Dell play the damsel-in-distress bound to the rails ....

    Where are the penetrative no-win, no-fee laways?

    1. Anonymous Coward
      Anonymous Coward

      Re: Release brakes on Class Action Train

      Here apparently whining that they can afford boarding school fees on £190k a year:

      http://metro.co.uk/2015/11/21/couple-who-earn-190k-a-year-complain-about-private-school-fees-get-the-appropriate-treatment-5517225/

    2. DropBear Silver badge
      Joke

      Re: Release brakes on Class Action Train

      Now I can't help but wonder what year last century was it when one could for the last time encounter a bona fide honest-to-goodness damsel-in-distress bound to the rails in popular media... well, maybe I'm just not reading the right fan fiction.

  15. Halfmad

    Remove programs, disable services?

    Nah, every IT department I've worked in has simply wiped the laptops as they come in,same for desktops. Get our own pre-build on them with apps installed etc. This is more of a home user issue.

    Heck even at home I wipe any pre-builds I'm asked to setup for people, less guff and usually takes less time than stripping off that Mcafee internet suite that's pre-installed.

  16. Captain Scarlet Silver badge
    Boffin

    Let me fix that for you

    "We deeply regret that this has happened and are taking steps to address it," translates to "We deeply regret that this was found and are taking steps to stop people like you from being mean to us"

  17. Paul Woodhouse

    so they give removal instructions in a .DOCX format???... PMSL... am I alone in thinking that might have been a bit rushed through? still at least they did provide instructions for sorting it rather quick without too much hassle...

  18. Anonymous Coward
    Anonymous Coward

    With all the veracity of a White House press release

    Yeah. I have it on a Dell LATITUDE E5540 ordered in April, with Win7.

    Dell said that it started including the root CA certificate with machines in August

    Someone is shitting his customers, and I don't suppose it's "two engineers".

    1. Anonymous Coward
      Anonymous Coward

      Re: With all the veracity of a White House press release

      So, DELL's "Patch" exe (What, no script? WIndows - always like a Zimmer frame of computing) seems to have banished the certificate. For now.

    2. Anonymous Coward
      Anonymous Coward

      Re: With all the veracity of a White House press release

      Tits. I got m'guv a Latitude 3550 a fortnight ago; that line wasn't mentioned so I've been largely indifferent to this so far.

      Better wheel it back into the workshop :(

  19. Woodnag

    software update process... will remove the certificate automatically

    Dell: "A software update process will run from November 24 that will remove the certificate automatically from machines"

    Really? Dell has some software running on my machine that can unilaterally alter the system without any decision on my part?

    1. Destroy All Monsters Silver badge

      Re: software update process... will remove the certificate automatically

      Well, the "Dell Updater" has to be started manually. And yes, it superusers around, no bones about that.

      this_is_fine_dog.jpg

      1. Woodnag

        Re: software update process... will remove the certificate automatically

        SO 'will run' is a lie.

  20. Someone Else Silver badge
    WTF?

    Marketspeak

    The recent situation raised is related to an on-the-box support certificate intended to provide a better, faster and easier customer support experienceway for us to cram yet more SPAM down our unsuspecting "customers'" throats. Unfortunately, the certificate introduced an unintended security vulnerability.we got caught, dammit!

    There, FTFY

    1. Anonymous Coward
      Anonymous Coward

      Re: Marketspeak

      The recent situation raised is related to an on-the-box support backdoor certificate intended to provide a better, faster and easier customer support experience way for us to cram yet more SPAM down our unsuspecting "customers'" throats. Unfortunately, the certificate introduced an unintended security vulnerability we completely fucked it up, dammit!

      There, FTFY

      ;)

  21. Kev99 Bronze badge

    Gotta love Microsoft and its "security" specs.

  22. sevkeifert

    gives new meaning to....

    PC does what?!

  23. Zap

    Dell vs The Register

    Hey Dell, how about you bloody ASK before grabbing my System ID without my permission.

    Hey The Register, How about you get rid of those 16, yes 16 tracking Beacons installed on THIS PAGE that Ghostery is kindly blocking for me!

    YOU TRACK ME AND THEN SELL ON MY TRACKING INFO

    At least with Dell it is not deliberate, it is just incompetence.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019