Linked by Thom Holwerda on Fri 27th Nov 2015 21:35 UTC
Privacy, Security, Encryption

From the good women and men over at the EFF:

Earlier this year it was revealed that Lenovo was shipping computers preloaded with software called Superfish, which installed its own HTTPS root certificate on affected computers. That in and of itself wouldn't be so bad, except Superfish's certificates all used the same private key. That meant all the affected computers were vulnerable to a "man in the middle" attack in which an attacker could use that private key to eavesdrop on users' encrypted connections to websites, and even impersonate other websites.

Now it appears that Dell has done the same thing, shipping laptops pre-installed with an HTTPS root certificate issued by Dell, known as eDellRoot. The certificate could allow malicious software or an attacker to impersonate Google, your bank, or any other website. It could also allow an attacker to install malicious code that has a valid signature, bypassing Windows security controls. The security team for the Chrome browser appears to have already revoked the certificate. People can test if their computer is affected by the bogus certificate by following this link.

Did you buy a Dell computer during your Black Friday shopping thing over there in the US? Might want to look it over before handing it your loved one.

Alternatively, just buy a Mac and don't deal with this nonsense.

Thread beginning with comment 621408
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Apple, eh?
by kaiwai on Sun 29th Nov 2015 06:25 UTC in reply to "Apple, eh?"
kaiwai
Member since:
2005-07-06

There is a huge difference between OS X having a bug vs. an OEM taking Windows then making it insecure by doing something stupid like what Lenovo and Dell did. The former was simply a human mistake where as the later was idiocy by OEM's who should learn that their job is to provide hardware with Windows pre-installed and not install crap additional to what is the absolute bare minimum for the system to function. It is crap like this that undermine the Windows brand yet I keep hearing all this crap about 'freedom' and how having a PC gives you 'choice' whilst ignoring that you have to make sure that you do an extensive background check into the OEMs and what they do when butchering Windows before purchasing.

Reminds me of the Android defenders going on 'freedom' and 'choice' yet how many of them install unneeded security problematic crap with their installation of Android? how many end users are thrown under the bus 12 months later when the new phone is released and Samsung can't be buggered providing Android updates? Honestly, I swear Windows defenders get their Jimmies rustled in top speed because their inability to accept that maybe there are things that Apple do better than the Windows/PC world and that maybe there are some ways in which Apple does things that OEM's should adopt rather than going on endless Mac bashing as you did in your post.

Reply Parent Score: 2

RE[2]: Apple, eh?
by WereCatf on Sun 29th Nov 2015 07:13 in reply to "RE: Apple, eh?"
WereCatf Member since:
2006-02-15

There is a huge difference between OS X having a bug vs. an OEM taking Windows then making it insecure by doing something stupid like what Lenovo and Dell did. The former was simply a human mistake


Wait, you're saying Superfish was just a human mistake? An application that was designed, from the ground up, to intercept and modify users' traffic in order to net Lenovo some extra profits?

Reply Parent Score: 2

RE[3]: Apple, eh?
by kaiwai on Sun 29th Nov 2015 08:33 in reply to "RE[2]: Apple, eh?"
kaiwai Member since:
2005-07-06

"There is a huge difference between OS X having a bug vs. an OEM taking Windows then making it insecure by doing something stupid like what Lenovo and Dell did. The former was simply a human mistake


Wait, you're saying Superfish was just a human mistake? An application that was designed, from the ground up, to intercept and modify users' traffic in order to net Lenovo some extra profits?
"

Read what I wrote, it is abundantly clear the the bug in OS X was human error where as Superfish was Lenovo deliberately making Windows insecure by design not by accident.

Reply Parent Score: 3

RE[2]: Apple, eh?
by grat on Mon 30th Nov 2015 16:34 in reply to "RE: Apple, eh?"
grat Member since:
2006-02-02

Superfish was a malignant, deliberately difficult piece of software to remove.

Dell left a self-signed trusted root cert installed.

The mistakes I mentioned by Apple are all serious flaws in the security of the OS at a code level.

Of the three, Lenovo is the worst, because they deliberately made their adware hard to remove, and as a bonus, it included tools for creating man-in-the-middle attacks.

Apple is the second worst, because it demonstrates a continual lack of focus on security-- some of the mistakes I listed are amateur mistakes no serious developer should have ever made (a double goto?!? Seriously?).

Dell made a blunder in not considering the ramifications of their certificate-- but of the three, it's the only one that can be fixed by a user without any special tools or patches.

I'm not bashing OSX-- security is hard to get right. I'm pointing out that in the context of "Get a Mac and don't deal with this nonsense" OSX is no better than any other OS vendor-- and to think so is incredibly naive.

The *REAL* problem with the list of security issues that I brought up, is that with the exception of the setuid script, they're all from this year, and it took me less than 10 minutes to find them.

OSX is no more secure than Windows or Linux-- it's just attacked less right now.

Reply Parent Score: 2

RE[2]: Apple, eh?
by FunkyELF on Mon 30th Nov 2015 22:09 in reply to "RE: Apple, eh?"
FunkyELF Member since:
2006-07-26

There is a huge difference between OS X having a bug vs. an OEM taking Windows then making it insecure by doing something stupid like what Lenovo and Dell did.


Reminds me of the Android defenders going on 'freedom' and 'choice' yet how many of them install unneeded security problematic crap with their installation of Android?


Honestly, I swear Windows defenders get their Jimmies rustled in top speed because their inability to accept that maybe there are things that Apple do better than the Windows/PC world and that maybe there are some ways in which Apple does things that OEM's should adopt rather than going on endless Mac bashing as you did in your post.


I'm not sure the point you're trying to make. All of the problems you state are because of OEMs. You cannot compare (Micrsoft + Random OEM) or (Google + Random OEM) to Apple. If you buy a Nexus or Surface device you don't have this problem.

What would you suggest Microsoft or Google do?

Reply Parent Score: 2