You might be excused for thinking that every tech company is out to get you, especially if you still use Windows, which we like to think of as “yesterday’s operating system.”
We’ll start with the poor Windows user.
News came out on Tuesday that since August Dell computers have been coming out-of-the-box with a root certificate preinstalled that is an “unintended security vulnerability.” The source of the quote, by the way, is Dell itself.
And you thought all you had to worry about was Superfish, the adware Lenovo installed on its computers that left users vulnerable to man-in the-middle attacks — even when running Linux. At least the latest dumb move by Dell seems to be Windows specific, meaning most readers of FOSS Force can breath easy and repeat the official Linux mantra rewritten from an old Dial soap campaign.
Aren’t you glad you use Linux? Don’t you wish ever everybody did?
This latest blunder by Dell revolves around eDellRoot, a self-signed certificate installed under the “Trusted Root Certification Authorities” in the Windows certificate store. With this in place, the Dell computer will trust any SSL/TLS or code-signing certificate that is signed using eDellRoot’s not-so-private key, which is publicly available online.
According to security expert Brian Krebs, this leaves users open to man-in-the-middle attacks: “A malicious hacker could exploit this flaw on open, public networks (think WiFi hotspots, coffee shops, airports) to impersonate any Web site to a Dell user, and to quietly intercept, read and modify all of a vulnerable Dell system’s Web traffic.”
In this case, “any website” might mean, say, a user’s bank’s website, if a user should be foolish enough to login to check a balance while visiting Starbucks or McDonalds. It’s been known to happen.
Maybe even more problematic: Using eDellRoot’s private key, attackers can generate certificates to sign malware files. “Those files would generate less scary User Account Control prompts on affected Dell systems when executed,” writer Lucian Constantin explains on InfoWorld, “because they would appear to the OS as if they were signed by a trusted software publisher. Malicious system drivers signed with such a rogue certificate would also bypass the driver signature verification in 64-bit versions of Windows.”
The good news is that since this was made public Dell has come to its senses about this particular problem and has issued an automatic removal tool, as well as posting information on the manual removal of eDellRoot on its website. Dell has also announced that it began pushing a software update on Tuesday “that will check for the certificate, and if detected remove it.”
If you’re a Dell owner, the bad news is that eDellRoot very well might not be the only root certificate on your machine. There’s also DSDTestProvider, which is installed by an application called DSD or Dell System Detect. Users who visit the Dell support website are prompted to install this tool when they click the “Detect Product” button. So far, there’s no word on how to remove this one.
If you’re not a Dell owner, don’t be too quick to breath a sigh of relief. There might be bad news for you too, as the tech industry is leaving few stones unturned.
It might not matter what you’ve removed, what brand computer you use or even what operating system you’re running if you’ve got “Intel Inside.” This is due to something called Active Management Technology (AMT), which is Intel’s proprietary remote management and control system for PCs. It’s been around for a while now, and there are a lot of not-so-cool things about it. Among other things, it can change your BIOS configuration, wipe your disk and even do a system re-installation — and it runs even when your computer is off as long as it has access to a power source. Because it’s proprietary and secret, no one but Intel knows its exact scope.
Oh, by the way, if your computer is off, it can turn it on. Nice trick, eh?
Understandably, the Free Software Foundation finds a lot to not like about this, mostly revolving around security issues. Also: “There could be a deliberate backdoor built into the implementation,” they add. “This is problem number one.”
But wait, there’s more: Even your ISP, at least if it’s Comcast, is out to get you.
You’d think the most hated company in the world might try to be careful and not tick off any more of its customers than it has already, but that’s evidently not the Comcast way. It seems that if you’re a Comcast customer, and if it comes to the their attention that you might be the boogeyman — meaning an illegal downloader of music, movies, and especially, NBC TV shows — then they’re going to insert and display a “gotcha!” warning in your browser. Evidently, they also do similar insertions to warn users about bandwidth usage issues.
This makes the company a man-in-the-middle and should be a privacy and security concern for Comcast users, since it means they’re doing packet inspections on users’ traffic. It also means they can spoof a website’s ID and give a user the impression they’re on one site when they’re actually on another. And, as developer Jarred Sumner pointed out to ZDNet, “There are scarier scenarios where this could be used as a tool for censorship, surveillance, [or] selling personal information.”
I don’t know this for a fact, but it’s my guess that Comcast would say they’re doing none of these things; they’re just looking out for the poor content providers. After all, Sony’s been through some rough times recently.
Which brings us back to where we began: You might be excused for thinking that every tech company is out to get you.
That being said, happy Thanksgiving to those of you who reside in the U.S. If you live elsewhere…have a great Thursday.
Help keep FOSS Force strong. If you like this article, become a subscriber.