69 comments

[ 2.7 ms ] story [ 152 ms ] thread
As I was walking by a pile of Dell laptops for sale today, I just had to wonder if the timing of this problem is just coincidence? Regardless, this kind of thing really helps out the FBI/CIA/NSA/etc get around encryption when targeting an individual. Malice intended or not.
I miss the days when I thought "Wow if this keep happening the law will surely get involved and put a stop to it." - Now I just think "I bet the government LOVE this... they probably paid them to do it."
True. After the Snowden relevations you don't even have to guess.
"Dell included that [private] key on all the affected laptops as well."

Was there any reason other than plain negligence to include the private key on every laptop?

Deniability? If the intention was to create a backdoor, and later it was found that e.g. NoSuchAdversary had used that backdoor, a really good "we didn't intend to create a backdoor and we especially didn't give the key to that backdoor to the Adversary" defense would be the fact that actually Dell gave the key to everyone.
That's exactly my take on this whole thing. The incompetence you'd have to defend for the alternative to be real would damage Dell even more than the malice would.
I really don't want to sound elitist, but my choice to go full Macbook and keep my custom built PC at home has never looked better. How long until we hear about other manufacturers also doing this?
If I were looking at a Windows system I would now only consider buying those branded with Microsoft Signature.
Except then you have the privacy concerns with Windows 10.

That's why I'm still running 7.

https://support.microsoft.com/en-us/kb/2952664

This KB sneaks in diagtrack.dll to windows 7, aka telemetry.

Which you can decline to install, on Windows 7.
Do you always get prompted or does it install automatically in certain circumstances?

I have diagtrack on my work win8.1 without being prompted. I'll have to check win7 on monday. This is the first non win10 kb I've seen it mentioned in.

I have no clue how it got onto my win8.1 box.

If you go into Control Panel, Programs and Features, you can retroactively uninstall updates. It's in the other section of that application.

At least for 7, I never used 8 enough to give you useful info there.

Although you are trying to be helpful, you did not answer the question that I asked. Retroactively uninstall is not my definition of decline to install.

Also, it's not clear which KB snuck it onto my Win8.1.

It turns out that KB2952664 is pretty hard to uninstall. I tried several times to uninstall it from the control panel on Windows 7, and each time it was still present afterwards. It turns out this update has many versions, each of which need to be uninstalled separately:

https://answers.microsoft.com/en-us/windows/forum/all/unable...

My machine had 27 different packages/versions for this update!

Good grief, I have 23 versions installed on my system. None of which show up in 'installed updates' in Windows Update. And when I try to remove them with dism I get an access denied error.

A cynical person would think MS is deviously trying to hide them and prevent an end user from opting out from their data collection scheme.

Oh sorry, I misread that. You can decline any updates, personally I have mine set to Download automatically but let me choose to install. Then you just untick it. Of course it's a Microsoft Recommended update so it will come checked, but the actual install is still up to you.

I believe it will remember this preference for future installs, as in won't keep checking it each time but I've honestly never looked into it so I can't say for certain.

Not so sure that the KB text description in control panel will give enough info.

It's only after months of reading about it do I know enough to discern that diagtrack.dll == "telemetry".

The statement 'Which you can decline to install' makes it seem as if this is specifically flagged and you have the option of not installing it.

In reality you are describing the standard options: Automatically Update/Let Me Choose Which Updates/No Updates at all.

When users are advised to install this stuff for their own good for security purposes(Microsoft Recommended), and yet this is basically malware/a keylogger - it's pretty bad in my opinion.

I said if. I'm stilling running 7 with Debian in a VM. Looking to invert this if possible in my next system--with Windows in the VM with an AMD graphics card passed through so I can still play games.
Never leave the original os on a laptop. That has been the golden rule of wintel laptops. Install clean windows and nuke the factory recovery partition.
Except that has already been worked around in Lenovo's case by using the BIOS to install crapware/malware on a clean install.

http://arstechnica.com/civis/viewtopic.php?p=29497693&sid=dd...

Ars's news article: http://arstechnica.com/information-technology/2015/08/lenovo...

Not superfish.
It could install superfish or anything it wants but you are correct, I've updated it to say crapware instead.
I've had a macbook for 2 years and I've never used spotlight beyond the initial "what does this do?" moment. Besides, you can't really do search without knowing what is searched for and from where it is being searched.
The few things that I use spotlight for kind of necessitate location data anyways, I keep it on Cmd + Shift + Space and use Alfred on Cmd + Space. I find it does really well when you're looking for restaurants in your area and things like that.
Once you get used to cmd+space. It's so much easier to hit the key combo, type the first letters of the program you want and hit enter than clicking through a bunch of folders and scrolling around.. but after reading this wikipedia article, I think I may have to find an alternative.
Check out Alfred. I use the free version myself, you can un-assign command space from Spotlight in OS X first, then assign Command Space to that. It does basically the same thing minus the Internet connected stuff like location searching and whatnot.

Alfred can be setup to index folders, contents of text files, pictures, etc. and harder things like System Prefs screens too.

I myself keep Spotlight on Command Shift Space for the rare occasions when I want to take advantage of the Internet connected stuff, but keep using Alfred for everything else (less to do with privacy, more because Alfred is just quicker.)

The twelve programs I use most frequently are all on my dock, or accessible from the command line, which I can access by pressing opt+space. Everything else I just use the app menu for.
Don't use Spotlight, I prefer Alfred.
I can't stop laughing, what in the world in this comment necessitated bad karma?
You spoke poorly of an Apple product which means you criticised the official church and its messiah.
I guess I didn't picture the HN community as avid apple fans.
Thank you for posting this. I had no idea.

And as a heavy spotlight user, it's infuriating to know apple is stealing my local computer searches and my location and then selling it to Microsoft.

It makes you wonder what else they are doing if they can be so blatant about it.
I don't count physical access required attacks as something I need to worry about. Besides the fact that I only own and use a very small number of thunderbolt devices, my machine is always in my possession.

I didn't say a Mac was bulletproof, but the fact that Apple controls the hardware and software makes it better than the OEM's who make PCs, IMHO. No software or hardware protection will ever do better than a vigilant user, and I know that.

> you just sound foolish

Please don't call names in HN comments.

https://news.ycombinator.com/newsguidelines.html

Blatant ad hominem attacks are not worthy of detachment? Not to mention linking to the same blog post in 2 separate comments w/in a minute? I must say that I am bewildered...
This isn't the place for this. You're welcome to email us at hn@ycombinator.com if you have questions about moderation.
I was looking for clarity in a transparent process so that others could benefit. I'll just assume there are rules not meant for public consumption and shutup.
a response to this

> I really don't want to sound elitist, but my choice to go full Macbook and keep my custom built PC at home has never looked better.

not really name calling imho but ok, I know. It is not my normal behaviour.

I share the opinion of a friend of mine which is this will eventually come to all major hardware manufacturers.
I think an article from the eff is more notable than a reddit anecdote and should be treated as such.

This is now gone off the main page, which is a shame.

Perhaps the URL is better, but this cluster of stories has had so many major discussions that the current submission is clearly a dupe by HN's standard.

https://hn.algolia.com/?query=dell%20points%3E10&sort=byDate...

We try to get the most substantive URL into the most prominent thread (and in fact are working on a system for users to be able to drive that) but it doesn't always work out.

It annoys me that this is being so directly compared to Superfish. Yes the technical aspect is similar but the intent is very different. Intent matters.
I haven't seen anything that really showed the intent of Dell, just a bunch of woolly corp-speak about improved customer service.
The intent is in the certificate. Superfish could create and sign any certificate, meaning it could impersonate websites. This certificate cannot sign other certificates, meaning it can't be used in the same way as superfish. Thus the logical intent seems to be bloatware, backdoors, etc.. not snooping on HTTPS connections.

This is the distinction the person you are replying to is trying to make, because although similar to superfish, it is not quite the same.

If the dell cert can't be used to impersonate websites, what's with all the test websites people set up to demonstrate it?
I think the problem is the private key is accessible AND machines were already setup to trust it (because of the cert). So what s_henry_paulson said is technically correct but it's conceptually wrong.
Intent isn't magic. Jeopardizing the integrity of every secure connection for a customer is outrageous. Comparisons to Superfish are entirely appropriate.

There is no product, service, business or political cause that justifies destroying the security and integrity of the internet. This places people affected by this in an incredibly risky situation. And then rather that recall the laptops, Dell is issuing removal instructions and asking customers (many of who may be receiving the laptops second hand via personal or corporate means) to fix the problem for them.

If our law were even remotely up to date, this would result in at least a crippling fine for the company that did it.

The end result is the same but super fish was clearly and intentionally malicious (or at the very least unethical). Dell's blunder is more negligence. I'm glad that smart people are keeping an eye on these companies.
(comment deleted)
I wonder how much similar (or worse) errors exist in the metric shitload of device drivers distributed by the ODMs, OEMs and the white-labelers.

Everyone adds their crap onto the device and then wraps it up for sale, with no one having real responsibility on what actually ends up being on the device.

Given common code quality I really wonder what nasties are hidden in stuff like Embedded Controller firmware, the drivers for stuff like "special keyboard hotkeys" and similar. All places to hide a nice kernel level exploit in (or in case of the EC, full HW backdoor).

I have no idea how the dysfunctional wasteland that is the windows consumer ecosystem can survive. Microsoft has actually cleaned up it's act quite well and seems to be producing quality software compared to, says, the Win 98 days. But OEMs and their crapware...? I recently used someones new Lenovo notebook and you couldn't get work done for ten minutes without some sort of popup breaking your concentration. Not even the same, possibly important one, repeated over and over. No, there were 15 third-party items in the system tray vying for my attention with updates, warnings, status informations etc.

I seriously wonder how people can work for these companies. Not that they're terribly evil (b/c, after all, this rant is pretty much the definition of a First World Problem). But in that I couldn't spend the majority of my waking hours for an organization that has so little taste.

Speaking as one in the trenches, it survives by the sheer will and determination of the enthusiasts, and the slavishly hard work of various IT departments, as well as the Linux community by and large being arrogant and rude, and the fact that Mac's are expensive.
And yet again I have to point out how this is an obvious case of Hanlon's Razor, where stupidity is confused for malice.

To install the root key is in no way an attempt at spoofing people since it would eventually be discovered and exploited by someone else. If Dell wanted to use this pre-installed cert they would not have installed the private key. And even then it would eventually be discovered much more easily than any number of backdoor methods they could have pre-installed in the BIOS or the OS when they control the entire deployment and shipping process.

So this was basically a process/QA failure then.

Someone did this (again without malice but clearly misguided), and it wasn't caught by any process that should have noticed or prevented these kinds of dangerous errors.

The only malice that I can see being assumed is in your reading of that report. The EFF page very clearly outlines the problem but said nothing about Dell trying to abuse it, only that Dell's negligence left their users exposed to attackers which is a simple statement of fact.
Read the other comments on this page?