OEM: Let's differentiate our otherwise
commodity hw product!
OEM: I know, let's add value with bundled
software the customer can't uninstall!
Then the bundled software turns out to (inevitably) be useless vulnerable garbage. Inevitably because a) the customer doesn't need it, b) it's engineered with all the effort that normally goes into adware for captive audiences (i.e., _minimal_), which means it will be vulnerable.
It works, too. This is partly why the iPhone was so popular, at first. It's been so long now that probably everyone has forgotten, but before the iPhone, essentially every smartphone on the market was fully loaded with trialware, crapware, and often had hardware features locked out by software so that you could pay extra to unlock them.
I remember one particular phone that had four user-configurable hardware buttons, but Verizon had locked them down so that they all opened the Verizon ringtone store.
The iPhone was a breath of fresh air if only for its software.
Even a brand new, unlocked, $1000 Samsung Galaxy S10 comes riddled with adware and spyware, some of it unremovable:
"There are apps from Flipboard and Spotify as well as a unremovable version of Facebook. McAfee Anti-virus is baked into the operating system as "security," and the Samsung Gallery app wants to share my location with Foursquare. The storage management settings, which is just a simple file-cleanup app, is "Powered by Qihoo 360," a Chinese security company. A caller-ID feature built into the phone app is provided by a company called "Hiya."
Once you run through setup and connect to Wi-Fi, the phone spawns an undismissable "Secure Wi-Fi" notification, which, it turns out, is an ad for McAfee VPN subscription service. I tried blocking the notification—it's not blockable—but it turns out you can open the advertisement, carefully consider subscribing to McAfee VPN, say "No," and then it will go away. Cool."
Google branded hardware has a notorious reputation for problems about 1-1.5 year down the road. This has happened with every single Google device anyone in my family has ever owned and so we've basically stopped buying Google. Very few manufacturers apart from Samsung come close to Apple in terms of sheer hardware quality and service support and Apple OS's lack of customisability, pathetic camera and lack of 3.5mm jack completely rules it out for me. That's basically why I have paid a premium for Samsung over the years. I may look at Huawei too now that they appear to have significantly upped the hardware quality game.
Being virtually stock Android, pre-installed software is easily disabled (even FB) - the only major complaint is inability to assign Bixby button to something else without rooting.
? I used a Nexus 5 up until last year. Ended up upgrading last year, not because it had issues or because lineage stopped releasing for it, but because IT at my new job refused to let six-year-old devices on the network. Meanwhile, my parents complained continuously about their three-year-old iPhones getting slower and slower. Anecdotes, yeah, but...
On mine the plastic frame cracked between the power button and the volume control (I think a reasonably common problem with this phone, I've never had a frame crack on any other phone). After that one button gets stuck on, which makes phone cycle reboot - OK - I can workaround that. Then the microphone went bad: that is caused by the crack causing pressure on the micro-connector which causes an electrical issue. That wasted more time and eventually my workaround for that issue failed.
I have had close experience with 5 different Nexus devices, and 4 of the 5 had nasty failure modes.
The Nexus line has been far less reliable than the iOS devices I have had experience with, and all the Apple devices got far more security updates over their useful life. Note: I usually use Android phones and iPad tablets (although I have also personally had iPhones and Android tablets).
The soft plastic casing definitely cracks easily. On the other hand it does not fail catastrophically. I have dropped my Nexus 5 on the floor more times than I can count and while it has miniature cracks around the button/power connector it's nothing that prevents the phone from working.
> On the other hand it does not fail catastrophically
So my two complete failures due to the crack were not "catastrophic" then?
The case cracking is common, and those two failures were common enough: most users would consider the phone uneconomic to fix, and not everyone has my tenacity or skill to waste time fixing their phone.
I also think it was that phone where the flash slowed enough to make it barely usable.
Back on topic.
The only Nexus I have had that hasn't had a problem was a Samsung Nexus 10 (still goes, but stuck on insecure Android 5.1).
The only Samsung phone I have had was the original Galaxy Nexus, which was still going when I gave it away last year. It's problems were: 1. screen burnin (OLED) and 2. Google didn't release Android 4.4 (due to TI dropping OMAP4 support?) even though 4.4 came out within 2 years. That phone cost more than an iPhone 4. My colleagues got iPhone 4 phones at the same time, and they got updates for twice as long and their phones remained useful for far longer.
So my experience with Samsung hardware has been good. I have always avoided buying Samsung because I hate their modified Android versions and lack of updates.
I loved mine, I'd still be using it if I could have found one that didn't have motherboard issues. It was a pinnacle of industrial design and I'm sad that smartphone designs have moved away from it.
My iphone 4 was pretty much as fast as the nexus 5 and way less buggy.
The nexus 5 is the only phone that I almost threw against a wall, I’ll never touch android anymore after that shit show.
You must have a very high tolerance to bugs and poor performance. My friend was very happy when I sold him that piece of crap, so it must be subjective.
Pixel 2 XL, since I also had to stop using a Nexus 7 at the same time and I didn't want to have to deal with not having a large screen to read on. It's been good so far. I haven't had any issues with the lack of a headphone jack, mostly because that jack was also the one part of the Nexus 5 that'd also failed so I was already on bluetooth-only. I upgraded about eight months after the release so they'd hammered out the QC issues on the screen. I see some black smears when I'm scrolling over pictures with black backgrounds on dark themes with the brightness all the way down in a dark room, but that's not something I'd call an issue. The real problem is actually the curved screen, which is sensitive to touch all the way out to the bezel a millimeter or two around the side of the phone, so I get a few misclicks a month when my palm hits the side of the screen while I'm trying to type. I get about two days of battery out of it despite heavy use while I'm on the subway to and from work. It does not feel a sturdy as my Nexus 5, and the screen is not as nice to read on as the Nexus 7 was; the aspect ratio is far too tall. It's definitely better than my old Droid Incredible, though I still miss the physical keyboard. I don't know if it'll be as good as the Nexus 5. It's so far only a sixth as old.
Same here. On 5T. My only issue was lack of security updates in the end. I could try to flash with another distro but too much work with too little gain. Love my 5T even more.
Tasker can assign the Bixby button as of the newest update that just dropped. Also double clicking power and volume up and down long presses (though I had to use adb to enable the volume on my phone, none of this requires root).
I hadn't messed with tasker in a long time but that got me back.
I have been a samsung buyer for at least 6 years and 4 phone models. The bixby button is an absolute deal breaker for me. I dont know what i will do, but it wont be a samsung with bixby
I got an S10 because of the headphone jack and sd card slot. I uninstalled or disabled any software I didn't need pretty easily. I find it to be a fantastic phone.
> I don't understand why folks subject themselves to this for $1000 when other options are available.
After my "flagship" HTC10 became unusable within 2 years because of battery issues, I was in the market for a new phone. But I was determined to not spend over $250. I ended up with Nokia 6.1. The only issue with it is that it is just a little slow because it uses snapdragon 435 (I think). However for the same reason it's battery lasts up to 2 days. Other stand-out features are unibody metal design, and Android One (meaning no bloatware). I bought it for only $180 from Best Buy after price match, and sold the HTC for $60 at decluttr.com. I think this is one of the best value purchase I ever made- up there with a Toyota Corolla.
If I wanted the best camera in a phone on the market, my choices were the Note 9 (before the Pixel 3, I think) or one of the iPhones. I have enough invested in the Google/Android ecosystem that moving would be painful, plus I'm not a fan of Apple.
You can always build your own AOSP (which is essentially Android minus Google). In case of Pixels, this is particularly easy. I use a Pixel to avoid Google, which is a bit paradoxical.
Yes, that was always the draw of the Nexus and Pixel lines. "Vanilla Android." Really hope that's still the case, though I've switched back to iPhone for a number of reasons.
I used to buy Nexus phones and jailbreak them for SU root privileges so I could deny apps (mostly by google) from using permissions without my consent on app launch.
With that being said, I'll be switching to an iPhone for privacy reasons, starting with my next phone and I've been a loyal Android user since Google started with the G1. How times have changed...
Sure, awful, but HMD Global fixed the problem which I respect.
My other choices are Google (expensive, multiple Nexus letdowns in past), Samsung/LG (awful software), Chinese phones (crapware, I don't trust), Sony (abusive relationship), a bunch of other brands with other reasons I dislike, or iPhone (costly and I don't like the UI).
True. And i totally agree with your roundup of the main alternatives. I went for a Chinese phone last time and it's probably the best one I've had in terms of quality and features. But Lord knows what stuff I'm sending back to China. I've been meaning to try lineage out.
It was bad enough with the fucking Bixby button that can't be disabled on my Samsung S8 Active. Hearing about the S10 solidifies that my next phone will absolutely not be a Samsung. Which is a shame since the hardware is otherwise great.
These criticisms exist because Samsung does not offer first-party solutions to things such as malware detection, location sharing, storage management, caller ID, VPN, music streaming, and news aggregation. It's unclear how exactly these services are being used (Samsung should be more clear on this front) and what parts of it are integrated (Samsung should be more clear here as well).
But, well, put it this way. If Google or Apple had offered first-party solutions to each of those services, would they be criticized for offering bloatware as well? No, probably not. So, is the issue here that the services aren't first-party (Spotify) or that they aren't from traditionally trustworthy sources (McAfee)? If it's the former, why does it matter? If it's the latter, then Samsung should be more clear about the extent of the influence of the other company, which they are not, but that shouldn't necessarily exclude them from collaborating.
Now, there are some key issues that should be criticized. Hard. A persistent notification? It's unforgivable. Facebook? The amount of tracking they can do makes them a threat to the device. It's basically spyware. It can be disabled, sure, but it shouldn't be enabled in the first place (except to enable Gear VR, I guess).
But really, can you trust any major tech company, considering programs like PRISM exist and are in operation? What differentiates Google from Apple when the device is still able to transmit whatever it wants to whoever it wants however it wants? Apple or Google may or may not be tracking some piece of data, but that doesn't necessarily mean that it isn't being collected and tracked by someone. That the companies themselves don't happen to store the data that happens to be the very thing they make their money protecting and using? It's definitely better in that your data isn't being used for the company's profit, but is it really any better for privacy from, say, the government?
> If Google or Apple had offered first-party solutions to each of those services, would they be criticized for offering bloatware as well?
The tech community seems to assume that software from Apple and Google will be well-thought-out and useful, and will be easy to dismiss if the user doesn't want it. The community seems to assume the opposite of anything from any other hardware company.
Honestly, those assumptions seem correct about 80% of the time.
>Verizon had locked them down so that they all opened the Verizon ringtone store
I had a similar issue with a phone I bought around 2005. I wanted an unlocked device, and by EU law, a carrier can't refuse to sell you that. So just pop into any store, right?
The device was unlocked but carrier branded, so the useless menu locked in place front-and-center was doubly useless because none of the carrier services worked.
I made sure to never get any phone through any carrier after that, and now that Android phones are having the same problem I'm so glad I did. Mine have always been crap free.
Exactly. Doing better by your customers is a differentiator. It's worked very well for Apple. Microsoft could easily take a consumer-friendly stance on OEMs preinstalling software. Microsoft please!
The first iPod touch had a broadcom chip that supported Bluetooth, but wasn't supported in the software stack. You needed to upgrade to use the Bluetooth hardware that you had already paid for.
That's wrong in two ways. First, many Android phones, including my Galaxy S7, can use the FM radio via the NextRadio app. Second, iPhones do not have an FM radio.
My S7 can still do it. The reason newer phones can't is because they lack an aux jack: the wire is used as an antenna. Another great reason to keep the headphone jack.
I'm not sure exactly what it is, though I know all the S7s do. I suppose it may be carrier-locked? I bought mine unlocked, not via a carrier. It's a handy feature, though. Free music and entertainment with zero data spent. I've got to wonder why people moved away from it. No signal issues either.
The thing which worries me about OnePlus and similar cheaper options is the security patches. They seem to be very slow/non-existent and the devices aren't supported for very long.
Second product for this mythical OEM should just be a TV with an instant-on button and as many hdmi ports that will fit given a small-as-possible bezel. One model per year per common size->one price. Big sale on thanksgiving and then the slightly better ones come out.
Please. I use a 4k TV as my computer monitor. It's works fairly well for that because I researched it and found a good fit, but I use a remote to start it every time, and it takes 15-20 seconds before it's ready to receive input. That's a long time to be sitting in front of your computer waiting, especially when it happens 3-10 times a day.
I avoid those problems by never turning my TV or monitor off. It does mean they light up the room at night so it wouldn't work if you had it in a bedroom.
EDS - Remember that big huge company H.Ross Perot Ran? - We TRIED to buy PCs from hardware vendors without Windows. They refused due to how Bill locked them into contracts. If it was to run Windows, then Windows was shipped with every single hardware sale. On the bill of lading.
Government doesn't pay for stuff they don't use. Didn't want Windows if they were to run UNIX (Santa Cruz Operations XENIX System 5, to be precise). Wonder why some people at SCO went crazy and snorted their futures? Blame Bill.
I was just setting up a slightly older System76 desktop this evening when I came across how they handle firmware updates [1]. That's very impressive to me, showing concern about only using blobs when there's no other option, being transparent about signing, and explaining their QA process, not to mention the whole utility being open-sourced. That's worlds ahead of any other OEM PC manufacturer I've ever seen.
OEM: how can we make money on a commodity platform, when someone else controls most of the design parameters and they are dictated to us, and margins are razor thin, because most people who buy PC’s want to spend the least amount of money.
OEM Sales: we have companies lining up to bundle software on our computers and they are all willing to big money to be bundled, and even more money to be bundled and not be removable.
OEM: yay, we can be profitable!!!!!
Not one person really thinks the bundled software is of any value, other than the cash the bundling fee generates. If it was illegal for OEM’s to bundle software you’d see even more contraction in the PC OEM market.
Dell SupportAssistant was preinstalled on my machine. It was the easiest way to find Dell's customized driver updates since they are difficult to find (which of the many network drivers does my machine need?). It's sad that it has problems, but it's supposed to make maintenance easier. HP has something similar.
You only have that issue if you search by the model of your PC. For Dell, search by the service tag (short string of letters and numbers) and you will get the drivers for only the hardware that PC shipped with. For HP enter the serial number.
Not withstanding the vulnerability outlined by the article, the concept and utility has merit. For vast amount of users, sorting out chipset drivers is a hard problem.
It may come preinstalled but in this case the author wiped the computer, reinstalled Windows and then voluntarily installed the software while visiting the Dell support site checking for updated drivers. It is also able to be uninstalled which the original comment suggested it could not be.
Dell SupportAssist comes pre-installed on most new Dell machines. The only reason it wasn't installed on my machine is because the drive I used was not prepared by Dell. Your average Dell user will have SupportAssist installed though you are right that it can be uninstalled.
In both the phone and PC space I do not understand the need to do this at all. There is commoditization of the market on the low end, but high end products that compete with iphones and macbooks are definitely not commodity and there is ample differentiation to be had on quality where mindshare can reap substantial margins on a smart investment of good design.
There is no need for this stuff, of course. It's added because marketing want to improve the company's image in the eye of Joe/Jane Consumer, and probably someone in a support organization was honestly trying to make a customer's life easier. It was just implemented poorly.
The day that hardware vendors get over the idea that they need to "add value" to software that they resell will be a very good day for everyone.
Any business (individual persons too!) has at least some conflicting goals and trade-offs to make. E.g., profit now, or profit later? The one in this thread is exactly that sort of trade-off: monetize consumer data vs. optimize for reputation.
It's not like reputation has no value. Reputation is an intangible. You'll be able to put a fairly accurate dollar value on reputation after ruining it, but you should be able to estimate it before trying to ruin it.
Problem is, intangibles have an out-of-sight, out-of-mind effect going on: because you don't see them when putting a dollar value on tangible things, you tend to ignore the intangibles.
Companies often find this out the hard way and end up taking tremendous PR damage. Remember United's PR damage when they had to have cops drag a passenger off the plane because they wanted to "bump" him? Yeah. That sort of thing. Or perhaps the 737-MAX saga. Or any number of such events.
Plus, once it's gotten on the machine, why bother to patch it? You've achieved your goal and it was most likely written to spec by a vendor who has already been paid and moved on.
it's almost a psychology experiment where brands con you just enough and let you absorb the pain long enough that they forgot and start browsing for a new machine, repeating the cycle
But then the engineer in you says "I'll objectively choose the best hardware", and you end up with another lenovo. I really think it is the Windows Wizard Warriors that complain about bloatware, I always wipe it and start with a fresh install.
Somehow I found this the other day when searching for a new laptop. 2 models, identical, one with Windows 10 pre-installed and one FreeDOS (of all OSes!). 100€ cheaper. Perhaps not to everyone, but that's a worthwhile difference to me as a non-Windows user.
The reason they don't apparently is that this supply chain is their bread and butter, and they don't want to mess with it.
But - I feel this is causing them harm in the long run.
I feel that there is a mostly win-win were they to step in and just try to move against the bad shenanigans. I feel that even big companies like Dell, Sony etc. shoot themselves in the foot with this stupidity.
I'm mac 10x years now, strongly looking for change, but I'm wary of that kind of Windows stupidity.
Enterprises will absolutely want nothing to do with this; they’ll have a team that handles endpoint provisioning and management from a gold image & other distribution tools. The endpoints will be as homogeneous as humanly possible because they are all leased in huge bulk orders, so you won’t need a tool for diverse drivers.
Besides, an end user will never have enough permission to download and install a driver - because if they did they’d be in a position to defeat the DLP, VPN posturing, shitty antivirus and disk encryption tools that have to be installed to satisfy the four nearly identical checklists produced by at least as many independent IT security organizations who most likely hired the same auditor multiple times.
Small to mid sized businesses would probably be all over this though.
AFAIK a fair fraction of mid-and-large enterprises use the Intel Management Engine, which seems to be considerably more dangerous than this.
It is "an autonomous subsystem ((...)) incorporated in virtually all of Intel's processor chipsets since 2008. ((One)) can use it to turn the computer on and off, and they can login remotely into the computer regardless of whether or not an operating system is installed. ((It)) always runs as long as the motherboard is receiving power, even when the computer is turned off."
According to the EFF it "has full access to memory (without the parent CPU having any knowledge); has full access to the TCP/IP stack and can send and receive network packets independently of the operating system, thus bypassing its firewall".
I regret if my comment was misconstrued - I'm not claiming enterprises wouldn't use this specific tool because it is dangerous. I'm claiming they wouldn't use this specific tool because it does not fit within the "how do I manage tens of thousands of endpoints while meeting multiple defined and audited security and compliance goals" box.
You might even say that quality and security are orthogonal, at least in this particular case. That might not even be wrong.
Not the only way. I used to use ddctool [0] to change brightness on monitors and it worked even with some cheap old Benq displays. Unfortunately Linux doesn't support DDC over DisplayPort Multi-Stream Transport, but you won't need to worry about that. All you need is some Windows alternative to ddctool. This was the first search hit: https://www.clickmonitorddc.bplaced.net/
Yeah it's not the only way. Windows actually provides and easy-to-use API to change screen brightness (since it's a standardised feature). I made a little physical knob that connects via USB to control mine since those capacitative buttons are a right pain.
General sanity aside, the whole exploit hinges on the fact that they used string parsing to check for the prefix "http". This wouldn't have been exploitable if they used a proper URL library.
I watched that talk a while ago. It convinced of one thing you should only have one URL parser in a project, and don't pass a url to any thing that may parse it differently.
It also made it clear that trying to use a URL to restrict stuff is a bad idea. Like the dell updater could only load signed requests which means an attacker would have to get dell's private key for signing.
The sane thing would have been to not use a HTTP server at all. This part is pure laziness. It is trivial to communicate with a Windows service locally through named pipes.
I think you're referring to the SupportAssist Client being an HTTP server - while it is weird that they exposed all those other routes, the driver install route allows for drivers to be installed from a website (which a named pipe would not).
I wouldn't characterize it as "pure laziness" - more a questionable feature
The whole process starts with the installation of aoftware to identify the computer. The vulnerable service is part of that. Thw list of drivers could just as well be shown by a local GUI ghat is started by thenbrowser through an URL handler registered in the system. There would be no need for any of this frankly stupid Rube Goldberg website/webservers interaction. It would be one less TCP server socket in the system.
I believe that's parent's point. "https:" would be OK, "http: would be rejected, but " http:" would also be _accepted_ it. They looked for "http://" at the start of the string, instead of requiring "https://".
I found something similar to this a few years back[1], where the daemon would download and run anything if just “dell” was in the referring host. It seems they have improved the security somewhat by using white lists, but their coding practices seem a bit shoddy. Why have an SDK token at all if it’s public and globally shared?
I wouldn’t be surprised if a lot of the code was shared between the previous incarnation that I found an issue with and this pre-installed version.
Given this is an RCE, and affects so many machines, does anyone else think it's unreasonable that it took Dell 5 months to fix this?
Aside from anything else, it would have been terrible publicity for Dell if an exploit for this vulnerability was used in a large malware campaign - I just don't get why they would wait so long to fix it.
I've seen something similar when I open Dell's site. uMatrix shows an attempt to run a localhost script, which looks shady as hell.
I've never let that run. Much easier to just flip the laptop over, enter the six digit service code, and see if there are any new drivers/BIOS updates available for my laptop.
I've not yet seen anyone comment on the fact that Dell was informed in late Oct, confirmed by late Nov...and the public was advised in mid April. That's a lot of time for a known and confirmed vulnerability to be undisclosed, isn't it?
I'm not surprised in the least, they have a Bugcrowd program and I've submitted atleast one P2 that took months to fix, and best of all - they don't pay bounties! what a joke if you ask me.
I would have publicly disclosed after 90 days. A single line of code would have closed the URL problem and could have been deployed the next day. Six months is ridiculous.
I'm sure it did, but this is the classic debate about disclosure: disclosing before the fix means that there will be more attackers. Not disclosing means anyone already exploiting the vulnerability is unwarned and defenseless. And sometimes, disclosing before a fix means the fix suddenly has resources and priority it didn't before.
I usually hear about 90 day disclosure, not 160(ish). I'm not saying there should have been disclosure before the fix in this case...but I'd rather see more discussion on that than yet another vendorware complaint. (which are valid, but hardly news)
I don't think there will ever come a time when 1) savvy users will stop suggesting/recommending clean Windows installs on new computers and 2) OEM bloatware will stop being crap.
I clean-installed Win10 recently. There was no driver installation I had to do - everything works great, and there are no unidentified devices in Device Manager. Say what you will about Windows 10, but that part is really cool. Save for video cards, the pack-in drivers are often better and less hassle. Plus they auto update.
I definitely advocate for Windows 10, it has a lot of features I like, but the auto-installing drivers has been a nuisance for me.
The biggest issue is when I have a computer with both integrated graphics, and a dedicated graphics card. I used to disable integrated graphics in the BIOS, but this causes a litany of problems now. Even with integrated disabled, Windows 10 will still try and install the drivers for it, and every time it does this, they seem to take precedence over my dedicated drivers. I ended up giving up and just enabling integrated and leaving the drivers there.
Just be careful not to let video drivers auto-update if you're fending off shovelware. Last time I said "check for updated drivers" on my nVidia graphics card I was force-fed the Geforce Experience utility.
Also (having spent the day reinstalling a new Dell 2-in-1 with a clean Windows install) a few of the devices were quite happy (if generic) in Device Manager but didn't work quite right until I manually installed the drivers off the Dell website. (The ones that spring to mind were the wifi, audio drivers and the webcam, but there might have been others.)
recently reinstalled w10 onto a laptop (dual booting on with legacy/uefi is somewhat of a headache) the hoops you have to jump through during installation is downright hell
cortana just yells at you until you can turn it off, you have to deselect every invasive feature and then get to some windows sign into your ms account bullshit
just.... why... since when did installing operating systems turn into avoiding landmines
linux and mac install pretty quick, but windows? fuck off
The author exploited this by adding a space to the URL so it no longer started with http:// rather (space)http:// but it looks like the call to Replace would be ineffective if the URL started with HTTP:// as well.
There were a bunch of ways to bypass the check. For example another way would be to use "http:\\" which wouldn't get detected either. The new version isn't vulnerable.
My question, too. I've got Linux on my Dell laptop, but I still had to read a lot of the article to figure out if my laptop had the RCE. I wish they'd put "Windows" in the article headline, but I guess "market forces" prevent them from doing that. I am a firm Free Market person, but this does inconvenience me personally.
Sadly. It disappoints me so much that linux hasn't been able to crack Windows dominance on desktop/laptop. I was sure that as more people became computer "literate", they'd shift to linux or bsd in droves. Boy was I wrong.
It wouldn't have stopped Dell from creating a support assistant app for Linux to preload if they cared. In fact Linux being the land of NIH and non portability between distros basically requires Dell create a manager to sort out drivers and installs for everyone.
davidw asked the original question. I suspect his response was not to challenge the market share but to clarify why he asked. I don't think it's a non sequitur.
Dell fucked up and should be held accountable. Being in America they will more than likely face legal action of some sort over this. I would hope so anyway.
>Being in America they will more than likely face legal action of some sort over this.
Which America are talking about here? The one that let Equifax off scott free for leaking the entire countries personal financial info with security that resembles geocities?
My last two computers have been Lenovo ThinkPads (T520 and Yoga S1) and they bundle more crappy software than just about any other business computer maker. It's good hardware and once you reformat and reinstall Windows (or Linux) they are great machines.
I'm strongly considering the ThinkPad P1 as my next work machine -- any other issues you've experienced? I wouldn't have expected Lenovo to mess with the ThinkPad brand like that. My image of ThinkPad has always been no-nonsense, get-stuff-done, power-user-favored. Packing in a bunch of cruft doesn't seem to mesh with that image.
> I wouldn't have expected Lenovo to mess with the ThinkPad brand like that. My image of ThinkPad has always been no-nonsense, get-stuff-done, power-user-favored.
I used to think the same until I got a T480. I was drawn to it because it was one of the few laptops that still has a direct hardware Function-key row (I use linux, so software Function Keys are not fun).
The keyboard, while mechanically excellent, is horribly designed if you depend on it to do your job: They "innovated" by moving the Home/End keys up to the Function row, they "innovated" by completely removing the context menu key from the keyboard and placing the PrintScreen key (of all things) in its place, and they also placed the Fn key at the bottom left corner of the keyboard where Ctrl is usually located (you can fortunately swap Ctrl/Fn with each other in the bios, so the last one isn't a issue if you're willing to live with mislabeled keys).
If you're a heavy keyboard user, I strongly suggest properly testing a laptop's keyboard before buying.
While I never used the context key (and indeed neither my 60% layout nor the original IBM Model M layout seem to have it anyway), I don't see the purpose of a Print Screen there either.
The Fn/Ctrl swap is... confusing. I'm guessing Lenovo tried to copy the MacBook format without thinking it through. Personally, I prefer Caps Lock as Control, though. I never use Caps Lock.
Home and End on laptops have almost always (it seems) been up on the function row. On a traditional layout, they're to the right, which obviously would not work on smaller form factors. Even with the 7-row keyboard, it was on the top.
Having tried other light laptops including the MacBook 13, the XPS 13, the HP Spectre 13, the Razer Blade Stealth, and the Dell Latitude 73 something or other (this was pretty good)... they just can't compete mechanically. No concavity on the keycaps is a big bummer. Some of them are obnoxiously loud. Some of them have piss-poor tactile feedback. Some of them are okay, but lack travel. Some of them bottom out too hard. Some of them bottom out too softly. It's a rough keyboard game out there. None of the layouts work for me on their own, so I always have to end up tweaking them slightly to my tastes. Caps Lock is useless to me, and I prefer Backspace being one key down. I've considered swapping Right Shift, but I'm not sure what to swap it to. Any ideas?
The T520 mentioned above is the last in the T5x0 line before Lenovo started changing the keyboard layout and action in a way that seemed anti-ThinkPad. Same with the move from T420 to T430, so your T480 was a few generations further along an anti-ThinkPad path.
Personally, I'm currently standardized&stockpiled on two legacy ThinkPad models, and one of the reasons is keyboards. I also transplant keyboard parts manufactured to T60 specs, into later models, because Lenovo started making the keyboard flex-prone, even as the part was otherwise equivalent.
I own a T450s. Definitely no bloatware that persists through a reinstall (that was for a particular case with Lenovo's consumer lineup... completely unexcusable, but never touched ThinkPads), which I would recommend for any laptop regardless of the OS, especially if you're buying used. Doesn't matter if it runs MacOS (unless, of course, you implicitly trust Apple's supply chain to be 100% robust), Linux (which I don't think anyone except System76 or Dell actually sell out of the box), BSD (which I don't think anyone sells out of the box), or Windows (which has competent driver detection and management now, making most "system update tools" useless). Wipe it and restart.
The machines have been good and I'm not sure if there is a better choice in the Windows world.
For some reason some screws have fallen out the S1 and I have no idea where to get replacements, but it still feels fairly sturdy. I like the keyboards on both machines even though they are very different. The track pads are decent for a Windows laptop.
I really wish Lenovo would open retail stores. It would be nice to be able to try the machine out before you buy it and have a local place to take it for service.
The cruft that they pack in are a bunch of system utilities that replicate the basic Windows tools. It's mostly stuff about Wifi management, power management, etc... None of it seems to be very well made and I recommend getting rid of it all and getting as close to a stock version of Windows as you can.
Fair would be sending executives to jail for hacking. Releasing a non-backdoored BIOS was the absolute minimum.
Edit: As pointed out by josteink, the BIOS wasn't backdoored - it was used to install a backdoor. But calling what it installed "insecure Windows-software" is also inaccurate. According to https://en.wikipedia.org/wiki/Superfish#Lenovo_security_inci..., its purpose was man-in-the-middle attacks against the user. So I still think criminal liability and jail time would be just. Ordinary people have been sent to jail for far less.
To be fair and technically correct, the BIOS itself was not backdoored.
The BIOS itself was fine, but it contained insecure Windows-software which it requested/instructed Windows to install.
Install any other OS (like Linux) and there would be no backdoor at all.
To be clear I’m not trying to defend Lenovo’s actions here, I’m just trying to be clear about what this incident was actually about. The simplistic description is IMO a bit too simplistic in this case.
Microsoft should prevent this. It's not in their interest to allow OEMs to circumvent the normal software installation methods for Windows. It should be prohibited in whatever agreement OEMs make with Microsoft, and maybe Windows should prevent execution of such code if it's possible to tell it apart from drivers.
I don't think that settlement applies to this. The OEM part of that lawsuit, from my recollection, hinged on the fact that Microsoft's OEM licenses required that the OEM limit the percentage of computers they sold without a Windows OS pre-installed. I don't remember there being anything about how OEMs use their APIs.
I think it would be perfectly fair for Microsoft to require OEM licensees to not use that feature for shitware installations. I can't see how that would fall afoul of antitrust or related regulations. Maybe I'm wrong though, that was a while ago and it wasn't my specialty when I practiced law.
I wouldn't call that good. More like a bad solution to a problem which shouldn't exist. Nothing should ever be located in system firmware save for the boot firmware and perhaps a basic diagnostic tool like memtest.
I just checked on my Dell workstation at work and it seems they are now using this method to load the Lojack anti theft rootkit. I see the wpbbin.exe file and it's signed by Absolute Software.
I guess that is what the feature is designed for, though.
Many computer manufacturers seem to do this at least. There might be a way to trick the UEFI into thinking that you’re installing a non-Windows OS but I’m not sure.
UEFI doesn't install anything. It provides a machine-specific binary for Windows to install (intended to ensure that Windows has proper drivers for all the machine’s hardware).
Windows then decides to install this, based on the assumption that OEMs won’t bundle non-critical shit-ware using this method. Which has turned out to be the faulty assumption here.
Either way: Use any other OS except Windows and these UEFI-bundled binaries does nothing. They’re duds.
UEFI doesn’t need to be “tricked” and it can’t force the installation of anything into an OS not wanting it.
It’s really simple, so no need to invent overly complicated threat models.
I think the parent is getting confused because previously Lojack did work as they describe, by injecting its binaries into the filesystem like that. But I guess they have now switched to using this WPBT feature instead.
That’s astounding. Suddenly my “zero the entire storage, including partition table” methodology which I always somewhat regarded as overkill appears to be reasonable and/or necessary.
Basically none. You’ve got the ME (or AMD’s equivalent) on the CPU anyway so you really can’t avoid having some kind of root kit. Older Intel hardware that doesn’t have the ME or can be neutered is the best bet, and these machines don’t use UEFI anyway. Otherwise you could go for a non-Intel/AMD architecture, but there aren’t that many of those around anymore.
Disabling all of the parts of the ME except the part that lets the computer stay powered on is fortunately now well-documented (NSA-requested HAP support).
Clearly there's some component of UEFI that's in firmware, right? I don't really know all the terminology and such here, so please correct my understanding, but -- even if you don't have a disk, you'll get some UEFI bootloader. I seem to recall that some devices like many Chromebooks will have some extensive EFI blobs in firmware partitions, at least some of which is a read-only "get back to factory settings if you really screw up" stuff. I don't see what could stop a vendor from putting whatever they want into a a read-only firmware EFI partition, I'm pretty sure they exist in the wild.
The Chromebook’s user partition is read-write, and the system is read only (save for updates). The “powerwash” factory reset just wipes the user partition. The OS restore (if you can call it that) is not stored in boot flash, just standard data/nvme disk.
If you wipe the whole disk, you still need to use a bootable restore USB to restore it.
This has nothing to do with the fact that it is UEFI booting.
After a quick gander, I'm actually more interested in their phone. The idea of a phone that can not and will not track me, and which I know is doing only what I want it to do is pretty damned exciting.
If it has a SIM card, it is tracking you. If you leave Bluetooth or WiFi enabled, then it is being tracked. All the Librem 5 can do is 1) give trusted RF kill switches, and 2) not add additional tracking on top.
I will probably still buy one if it materializes, and is functional.
> If you leave Bluetooth ... enabled, then it is being tracked.
Wait, can you expand on this? Are you saying (current, existing) Bluetooth radios can be used for location tracking without additional hardware/OS support?
Maybe the MAC address or other broadcasted information could be used to fingerprint your device. That’s why WiFi MAC addresses are randomized on iOS, but I’m not sure that Bluetooth has gotten the same treatment.
I have a librem 15. The screws inside the case seem to come loose every once in a while. Also I wish the body was a little more rigid (I'm guessing the librem 13 doesn't have this issue since it's lighter and smaller). Otherwise I like it. The speakers also aren't very loud so I often have to make the volume higher than 100% to hear clearly. I think the trackpad is fine using libinput (I haven't tried other drivers).
I didn't want to use PureOS so I installed NixOS and everything seems to work fine.
I used to have an issue where the fan would get stuck on high after resume, but I think that was fixed when I updated coreboot to the latest version.
Sure it isn’t the same thing. Microsoft created a system supporting malware that survives OS reinstallation. Lenovo was just using that system as intended.
I installed Arch on this Dell laptop without even seeing Windows. I personally would do as you suggest if I wanted Windows on it but then I own an MS "partner". Everyone else has to run the uninstallers and hope that they actually remove everything and not leave things behind.
It's been a while... but prior to my current laptop, I'd generally remove the factory HD and replace with an SSD before even booting once. Installing a fresh OS from the start.
It's barely 5 megabytes.. and it's probably not connecting to anything.
The protections for pre-installed apps help to make sure nothing else tampers with them, e.g. injecting some malware, but I'm sure you can remove those protections and reclaim the 5 MB if you really wanted to.
Chess was given as an example of the ridiculous situation that not even a game can be removed by default. There are a host of other larger apps I would like to remove such as Home, Maps, News, Books, FaceTime, Messages and Mail. I never use any of them and would prefer they were gone from my computer.
Disabling system integrity protection to uninstall them should not be required and I'm guessing wouldn't be a long term solution anyways because likely they would reappear when upgrading macOS versions. There is also the issue of why does chess need greater protection from being tampered with than say Apple Pages.
And use a name and SSID of some well-known public WiFi network. Then make a captive portal to force the user open an attacker-controlled page in a browser.
What is the bounty on a report like this, and does Dell operate an official bug bounty program? How much do you think a report like this should be worth?
"Dell bug bounty program" and the like don't turn up obvious results to me.
Dell probably doesn't run one. If it did, I'd guess somewhere on the order of $20k? If the exploit was being bought by a company who traffics in zero-day exploits, some multiples larger of that.
Preinstalled crapware is one of the main reasons I still build my own desktops. Back when I used to buy Dells or HPs for the kids I always began the relationship with a reformat and reinstall. That was easy for me at the time because I had a complete MSDN sub with access to all versions of MS operating systems.
Cannot this vulnerability be exploited by creating a free wi-fi access point, opening a captive portal on user's device and attacking them from there? Another option is to wait until the victim requests something with HTTP (some ad networks still use it) and inject the payload into the traffic.
Nice writeup! Only feedback is it seems like you dont need to dna hijack anything. Seems like you can just register localhost-lollolanything.com and pull the attack off, no?
A software opens a port to allow a remote website trigger "download and execute" actions on a URL pointing to an .exe file.
The security check they have is that they check the domain is dell.com and that the string starts with "https://". If it starts with http:// it is replaced by the https version. In theory I could consider this risky but safe.
The mistake is that they do not force a URL that starts with something else to fail. The attacker could bypass the check by providing " http://fakedns.dell.com/haxorz.exe" (with a space at the beginning) and it passed the check.
This is not the first flaw of this style I am seeing. I don't think a teacher ever explicitly told it to me but I always assumed that relying on DNS for authentication was a dangerous thing to do and that URLs were doing too many things behind the scenes to be trustworthy without being extremely picky.
Maybe it all changed with https, but trusting the execution of an exe without at least checking the a crypto signature lights some red flags in my brain.
This doesn't sound quite as scary as the title. You still have to do one of these things that will all be nearly impossible in general. It's not like you can just set up a website and wait for victims to visit it.
- XSS on one of Dell's sites.
- Find a Subdomain Takeover vulnerability on a Dell site.
HP use a similar service (HP support assistant) that permits HP website to discover your machine and driver. It would be nice to discover if it have the same vulnerability...
Hmm. I have a Dell laptop, but replaced Windows 10 with Ubuntu. I doubt I'm vulnerable to that... but my security stance is probably not as strong as it could be.
Feel pretty validated on my decision that the OEM doesn't need a support backdoor on PCs. SupportAssist looked like a remote access tool combined with PC-Doctor.
I bought an Alienware that cost 4300$ last year, and that's after 900$ in savings.
The computer arrived in a box that had 2 handle sized holes in it and I could see the computer directly exposed from the outside without the box being open. It had shipment dust and debris INSIDE THE BOX. It's the saddest, cheapest, most sorry ass excuse for a shipment I've ever seen. I took pictures, I couldn't believe it.
Then I booted it up and was inundated with Dell pre-installed software. Wiped the thing clean, got a Win10 ISO directly from MS and called it a day. This will be the last Dell I ever buy. Lesson learned.
But, like so many other articles about security vulnerabilities, there seems to be a general attitude among most people (including many IT shops) that "it's an isolated incident", and "the experts will fix it...".
"It's an isolated incident", and "The experts will fix it...".
They said the same thing about Spectre, Meltdown, Rowhammer attacks, what have you.
"It's an isolated incident", and "The experts will fix it...".
Well, if you read HN long enough, you'd know that there's too much of this on too regular a basis to continue to espouse those views.
I'm going to go for broke here.
I'm going to put on my conspiracy "what if" tin-foil hat, and ask two questions.
The first is related to Virus-Checking and Security Software -- like Norton, McAfee, etc. how do we know that any of it doesn't contain remote code execution (aka major security) vulnerabilities?
You see, if I were the bad guys, that's where I'd put it.
Also, let's say you have Nation States. Could you see one of these guys "persuading, for the good of their country" one or more of their same-nationality corporations to put such vulnerabilities into their "Security" software?
In other words, maybe you have a Chinese producer of anti-virus/security software, and maybe it has little "surprises" for non-Chinese Citizens.
Maybe you have an American producer of anti-virus/security software, and it too has little "surprises" for non-American Citizens.
You see? Nation A thinks that it's permissible and OK for it to compromise Nation B's "Security" software. And Nation B thinks the same thing, but in reverse.
Even if Nation States are removed from the equation, you still have the Virus Checker/Security software company themselves. How do you know that random employees at that company haven't tainted that software in some way?
In other words, "Who guards the guardians?"
Which is my second question.
It's an ancient philosophical question.
"Who guards the guardians?"
We The People - do not seem to be doing such a good job these days...
All I know is that you might be seeing a whole lot more "isolated incidents" that "the experts will have to fix" in the future, unless We The People - step up to the plate...
Well I think it's very possible that backdoors are set up by governments like you say.
But I also think that even if they don't, it also seems very possible that vulnerabilities are quite common as mistakes. Just due to the realities of security.
In my opinion security is much more difficult than people realize.
For example in this case there seems to be a majority opinion something along the lines of "What an idiot! _I_ would never make that mistake!". It's much easier to say that in hindsight than it is to really execute secure code that no one can defeat. The response might be "well, no one broke into any of _my_ systems so far" and I would say .. how do you know they didn't? And also, maybe no one bothered to try to exploit you because you are not a high value target. Or they are just busy and will get to trying to penetrate you next week.
I think this is due to the complexity of software and IT rather than general negligence.
Yes I don't think that the government needs to plant vulnerabilities to get backdoors into people's machines. Finding vulnerabilities is not that difficult. The more moving parts you have and the more complex the code is, the more likely it is that there are vulnerabilities in the software.
This is an exploit in the shitty software that OEMs put on their Windows images. Stuff like this is practically universal (minus Apple), and the fact that Dell hasn't (AFAIK) actively bundled very evil malware with their computers makes them far from the worst offender.
Apple bundles plenty of software on their computers which I don't want, have never used, which increase the potential attack surface and which I can't uninstall. For example Apple Maps, Apple News, Home, and Books. In fact you can't uninstall any of the apps shipped with macOS. Not even the chess program.
As another user said- "It's barely 5 megabytes.. and it's probably not connecting to anything.
The protections for pre-installed apps help to make sure nothing else tampers with them, e.g. injecting some malware, but I'm sure you can remove those protections and reclaim the 5 MB if you really wanted to."
Chess was given as an example because it is the most ridiculous thing that can't be removed. See https://news.ycombinator.com/item?id=19809880 for my full response to the other user.
Here's an idea:
That would be fantastic.