The pun was too tempting, but don't take it too seriously even though it's relatively similar. In short, Dell installs a long-lived, root certificate on their machines with a private key that is now compromised (because they didn't exactly protect it too well). This certificate, and the compromised private key, can be used to sign secure connections without needing to be verified by a Certificate Authority. In other words, it adds a huge level of unwarranted trust to phishing and man-in-the-middle attacks.
Dell has not really made any public comment on this issue yet. I don't really count the tweet from Dell Cares, because customer support is a terrible source for basically any breaking news. It's best to wait until Dell brings out an official statement through typical PR channels before assuming what their position is. Regardless of what they say, of course, your security will be heavily reduced until the certificate and eDell plug-in are removed from your device.
I'm really just wondering if Dell will somehow apologize, or stick to their guns.
M$ and OEMs need to be
M$ and OEMs need to be restricted on what they can bake into the UEFI/BIOS. Hardware owners need to be able to expect a level of security and assurance that their hardware is not going to be in compromised state. There is no workaround for users if the baked into the hardware/firmware privacy violations are allowed to continue. After 2 high profile violations by Lenovo and now Dell, should there be regulations governing just what functionality is allowed to be baked into the devices hardware/firmware that could cause the end users loss of privacy, or even worse. If any abuse calls out for litigation and regulation it is this total disregard for the end users of the compromised hardware with the loss of privacy and possible other harmful fraudulent dangers.
Just to clear the confusion,
Just to clear the confusion, this is a certificate that Dell installs in Windows. Not something that is “baked” into firmware or UEFI. This is something that you could uninstall yourself or, if you reimage the machine, that cert would be deleted altogether. I’m not defending Dell in any way, this is a total flub on their part, but don’t think this exploit is in firmware or anything. In other words don’t let this prevent you from buying a new Dell machine right now.
And people were reporting
And people were reporting eDellRoot being reinstalled at boot-up, and I mentioned Lenovo with their firmware antics. So what about M$ and PC/Laptop OEMs doing things in the UEFI/BIOS that they have no business doing, or Dell with their Root certificates giving everybody the key to the safe. M$ needs to be forced out of any control over the firmware UEFI/BIOS ecosystem. Those pre UEFI BIOS systems are going to become very popular with people that want more security and less spying, along with windows 7, or Linux and less spying on users and violation users’ privacy! UEFI means more OEM spying, even if the UEFI is supposed to protect the users from that very same occurrence, Oh the irony!
It looks like people are going to have to purchase those fully open hardware/software based laptops just to do their personal banking on, systems that can be assured of having no spyware/key loggers backed into the OS/hardware/firmware. If one component needs to be open sourced based it’s the UEFI/BIOS firmware, just for auditing purposes. UEFI (Unified Extensible Firmware Interface) is just that, and that Extensibility is being abused, and people have a constitutional right to privacy that should not be abridged by any EULA. The same goes for the root certificates shenanigans! They, OEMs and M$, want your PC/Laptops secure from anybody’s spying but their own spying for your metrics and the money made selling them.
Edit: backed
To : Baked
Edit: backed
To : Baked
Damn you Dell. I’m in the
Damn you Dell. I’m in the market for a new laptop and was considering an XPS 15. Scratch that idea.
What is the benefit of this?
Lenovo was even worse. Their crap in the BIOS.
These jerks are driving me to a Surface book.
try a clevo
try a clevo
And this just after I ordered
And this just after I ordered a Dell laptop. Was going for the SurfaceBook.
Hope the fix works and if there is a way to update the system restore files as well so that it is not installed after you restore your machine.
“I’m really just wondering if
“I’m really just wondering if Dell will somehow apologize, or stick to their guns.”
they’ll do both, while simultaneously giving a sarcastic ‘your welcome’ as well. because the only reason they installed the code on their machines, was ultimately for the benefit of the user. 🙂
Another laptop manufacturer
Another laptop manufacturer to put on the blacklist.
Then again, I said screw it to Dell when they told me they’re no longer interested in selling their stuff directly to companies (at least small businesses).
As usual: get a business
As usual: get a business laptop, avoid hassle with bloatware (and enjoy easier maintenance, sturdier build, better support if purchased new etc). Buy a consumer laptop, and deal with the consequences.
Not always. Lenovo put some
Not always. Lenovo put some crap on some ThinkPads
Good thing I swapped my Dell
Good thing I swapped my Dell hdd and installed linux….
Dell has admitted and
Dell has admitted and apologized (sort of), and now offer a link on how to remove the offending certificate.
What sort of support were they offering that could be made easier with a root certificate with a private key?
As a owner of a new XPS 13
As a owner of a new XPS 13 this worried me. Thankfully there is a way of solving it. Now all Dell need to sort out is:
1. Screen flickering when on battery power
2. The wifi adapter is worse than in my 4 yr old tablet
3. The screen is absurdly glossy – effectively mirror finish
4. The web ordering system was hopeless
Maybe I am just unlucky but the XPS is likely to be returned as unusable
It just goes to show that you
It just goes to show that you Americans who complain that you cannot trust Chinese Lenovo computers are full are crap when your very own American Dell computer company installs spyware into its own Dell computers to sell all over the world!