| ▲ | Dell is posting unsigned updates to their website which fail to install(infosec.exchange) |
| 150 points by luu 20 hours ago | 59 comments |
| |
|
| ▲ | klaas- 15 hours ago | parent | next [-] |
| yesterday they were also serving a update catalog index that did not match it's signature
https://downloads.dell.com/catalog/CatalogIndex.gz // https://downloads.dell.com/catalog/CatalogIndex.gz -- but that was fixed after I complained and their idrac based firmware updater downloads http(s)://downloads.dell.com/Catalog/Catalog.xml.gz without checking the signature -- and by default without verifying https certificates when using https :D |
|
| ▲ | panny 20 hours ago | parent | prev | next [-] |
| >Bad news: Dell is posting unsigned update executables to their website labeled “critical” which then fail to install due to the good news If I were a hacker with no access to the signing keys, I'd probably label my updates as critical too, so you would try to find a way around the update signing. |
| |
| ▲ | 0xDEAFBEAD 18 hours ago | parent | next [-] | | So basically you're targeting a tiny fraction of power users who are capable and motivated to find and exploit a vulnerability on their own machine which bypasses update signing. I think you'll find more bang for your malicious buck elsewhere. | | |
| ▲ | saghm 17 hours ago | parent [-] | | So wouldn't this logic also apply to updates that are signed with an invalid signature? And at that point, it sounds like you're saying that once something is signed and distributed, no one will ever try to compromise that and you're free and clear for the rest of time, which seems...dubious. | | |
| ▲ | 0xDEAFBEAD 16 hours ago | parent [-] | | My mental model is that requiring updates to be signed delivers a lot of security bang for your buck. Do you disagree? An attacker can still steal the private key, or identify a flaw in the signature checking code. It looks like there are a variety of other, more constrained attacks: https://theupdateframework.io/docs/security/#attacks-and-wea... But overall, it seems to me that you can make an attacker's life considerably more difficult, for a comparatively small effort. | | |
| ▲ | saghm 13 hours ago | parent [-] | | I don't disagree with everything you said, but I don't see how "therefore, you don't need to worry about a critical update without a signature" follows. The reason that it provides a lot of value is specifically because it helps you notice things like what's going on now so you can avoid installing unsigned updates. |
|
|
| |
| ▲ | SoftTalker 19 hours ago | parent | prev | next [-] | | But posting unsigned updates (if you somehow found a way to do that) would set off alarms in about 10 seconds, as we can see by this thread. | |
| ▲ | Retr0id 19 hours ago | parent | prev [-] | | If I were a hacker in the same situation I'd keep looking for a more realistic strategy. | | |
| ▲ | raincole 16 hours ago | parent | next [-] | | Unless it's some crazy 4D chess and the hackers are trying to distract Dell's security team while they are deploying another real attack. | |
| ▲ | jagged-chisel 18 hours ago | parent | prev [-] | | Does anyone seriously think that attackers won’t try every single potential avenue regardless of how “realistic” it seems? | | |
| ▲ | Retr0id 17 hours ago | parent [-] | | Yes. I wouldn't be burning write access to Dell's update servers on something so unlikely to achieve an objective. |
|
|
|
|
| ▲ | ganzuul 15 hours ago | parent | prev | next [-] |
| Dell must have calculated that Microsoft will take the blame for this. |
|
| ▲ | SilasX 18 hours ago | parent | prev | next [-] |
| Wow that’s almost as bad as Firefox five years ago … except this probably doesn’t compromise privacy addons that will get someone killed. https://hacks.mozilla.org/2019/05/technical-details-on-the-r... |
|
| ▲ | bananapub 8 hours ago | parent | prev | next [-] |
| I mean, someone is, who knows if it is Dell or not. probably Dell doesn't know either, based on their usual software quality. |
|
| ▲ | 16 hours ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | santiagobasulto 19 hours ago | parent | prev | next [-] |
| [flagged] |
| |
| ▲ | IntelMiner 18 hours ago | parent | next [-] | | I'll probably be tarred and feathered for this opinion, but "everything works out of the box" Mac feels like wishful thinking Every time Apple pushes an update that causes some bizarre issue, people talk about it at length On the one hand, software is written by humans. Humans make mistakes On the other hand, Apple by design supports such a tiny set of hardware (that they largely build themselves and tightly couple to their software) that it's strange they're unable to iron out the issues in test before pushing the updates and ending making the tech news cycle when something goes wrong | | |
| ▲ | justahuman74 18 hours ago | parent | next [-] | | > that it's strange they're unable to iron out the issues in test before ... It's the deadlines. "Must ship feature before WWDC" | | |
| ▲ | thanksgiving 17 hours ago | parent [-] | | I can't help but wonder if this requirement if secrecy for a big bang marketing event that is called wwdc is to blame as well. At least the different teams working in the same product should have access to the complete product, right? |
| |
| ▲ | jon_richards 18 hours ago | parent | prev | next [-] | | Last major update broke all my vpns for a while. Really not fun having to switch to ssh bastions to do anything. | |
| ▲ | usefulcat 18 hours ago | parent | prev | next [-] | | I don’t really share your experience, but otoh I rarely have problems with MacOS. Although to be fair, I also do my best to wait the better part of a year before updating. So I’m always ~1 year behind, but then I also avoid a lot of the teething problems. | | |
| ▲ | IntelMiner 17 hours ago | parent [-] | | I don't use a Mac so I can't exactly cite specific issues I've had. But I've definitely seen a lot of them posted and reported on HN, ArsTechnica, Reddit and other places Due to how small Apple's hardware list is, issues directly impact a much larger percentage of their userbase |
| |
| ▲ | hulitu 16 hours ago | parent | prev [-] | | > On the one hand, software is written by humans. Humans make mistakes That's why we had proceses and testing. But they are too expensive. /s |
| |
| ▲ | RVuRnvbM2e 18 hours ago | parent | prev | next [-] | | a) most thinkpads come with a physical camera shutter https://support.lenovo.com/us/en/solutions/ht512980-what-is-... b) this story is about Windows. Linux has its own firmware update solution https://fwupd.org/ | |
| ▲ | nox101 18 hours ago | parent | prev | next [-] | | > I’m just gonna stay on my easy-to-use, reliable, everything-works-out-of-the-box Mac. Where do I get one of those? I've ran into just as many problems with my Macs. Latest is Airplay stopped working: https://discussions.apple.com/thread/255783202?sortBy=rank Another was Finder copy to SMB wouldn't error but file would be corrupted (copying from any other computer to the same SMB no problem. Copying by rsync from the same mac, no problem, just finder) My Airpods often don't connect. Solution, reboot Mac (after trying several other things) Network starts failing. Solution, reboot (after trying several other things) I can catalog many many more. I also have a Windows 10 (now 11) machine. It's had no more (nor less) problems. | | |
| ▲ | syntaxing 18 hours ago | parent | next [-] | | What kind of router are you using? I had a bunch of network issue when I turned on RSTP on my network for some reason. They’re all fixed since I turned that off and ICMP snooping (I have Ubiquiti equipment). Can’t say much about your SMB issue, we have a mount drive at work and been solid since I’ve been here. | |
| ▲ | hulitu 15 hours ago | parent | prev [-] | | > Solution, reboot Mac They copied this feature from Windows. /s |
| |
| ▲ | declan_roberts 19 hours ago | parent | prev | next [-] | | Apple definitely knows their audience, unfortunately they've been straying a little bit from the mission lately on software reliability. | | |
| ▲ | hulitu 15 hours ago | parent [-] | | > software reliability is a general problem, not specific to Apple. Why test, when you are already working at the next release ? If there are issues, please upgrade to the latest version. Rinse and repeat. /s |
| |
| ▲ | kube-system 18 hours ago | parent | prev | next [-] | | Yeah, on Linux you get all of the same firmware issues, but with no vendor software support to update it! I dual boot windows so that I can download all of my PC's firmware updaters. | | |
| ▲ | dorfsmay 18 hours ago | parent [-] | | What? I've been upgrading my laptops with fwupdmgr for years without any issue. | | |
| ▲ | kube-system 17 hours ago | parent [-] | | I've tried gnome-firmware (same backend) on literally every linux system I've ever owned and have never seen an available update for any of my hardware. | | |
| ▲ | talldayo 7 hours ago | parent [-] | | If you don't own supported hardware, that's not really super surprising: https://fwupd.org/lvfs/vendors/ | | |
| ▲ | kube-system 4 hours ago | parent [-] | | Right. That’s the point of my initial comment. That list looks promising… if you own a Dell or Lenovo. Everything else is a pretty pitiful showing. I’m actually booted into windows right now to update my monitor firmware. |
|
|
|
| |
| ▲ | loloslsr 18 hours ago | parent | prev [-] | | [flagged] | | |
| ▲ | justahuman74 18 hours ago | parent [-] | | No it doesn't, it just has a bsd syscall adaption layer | | |
| ▲ | learntoreadwiki 18 hours ago | parent [-] | | The Berkeley Software Distribution (BSD) part of the kernel provides the Portable Operating System Interface (POSIX) application programming interface (API, BSD system calls), the Unix process model atop Mach tasks, basic security policies, user and group ids, permissions, the network protocol stack (protocols), the virtual file system code (including a file system independent journaling layer), several local file systems such as Hierarchical File System (HFS, HFS Plus (HFS+)) and Apple File System (APFS), the Network File System (NFS) client and server, cryptographic framework, UNIX System V inter-process communication (IPC), audit subsystem, mandatory access control, and some of the locking primitives.[7] The BSD code present in XNU has been most recently synchronised with that from the FreeBSD kernel. Although much of it has been significantly modified, code sharing still occurs between Apple and the FreeBSD Project as of 2009.[8] | | |
| ▲ | flakes 18 hours ago | parent [-] | | You should read the official wiki. https://wiki.freebsd.org/Myths#FreeBSD_is_Just_macOS_Without... > Darwin - which consists of the XNU kernel, IOkit (a driver model), and POSIX compatibility via a BSD compatibility layer - makes up part of macOS (as well as iOS, tvOS, and others) includes a few subsystems (such as the VFS, process model, and network implementation) from (older versions of) FreeBSD, but is mostly an independent implementation. | | |
| ▲ | yourownlink 18 hours ago | parent [-] | | The two operating systems do share a lot of code, for example most userland utilities and the C library on macOS are derived from FreeBSD versions. |
|
|
|
|
|
|
| ▲ | likeabatterycar 19 hours ago | parent | prev [-] |
| Or the upload to their CDN was truncated or corrupted, and the signature check worked as designed. But let's not let an opportunity to paint Dell as some evil yet incompetent corporation slip through our fingers. |
| |
| ▲ | bhaney 19 hours ago | parent | next [-] | | > This firmware update has been periodically failing since I got this laptop from work several weeks ago, and only today did I put in the effort to track down where it was hiding the logs with the real reason If they haven't pulled the "corrupt" firmware after it's been up and broken for weeks, I don't think anyone needs to rescind the "incompetent" label. | | |
| ▲ | likeabatterycar 19 hours ago | parent [-] | | The only evidence we have is a single anecdote on Mastodon sparse on details and nothing you said can be validated. For all we know, the failure was in his employer's proxy server and the corrupt file was cached. Let's not wait for facts though, proceed immediately to the crucifixion of Dell. With everyone quick on the trigger to throw someone under the bus, imagine being a coworker in such a toxic environment. | | |
| ▲ | harry8 18 hours ago | parent [-] | | Crucifixion? Really? Come on now... I paid Dell a bunch of money for a laptop. They pushed a bios update, that ubuntu kindly relayed to me that meant when I closed the lid and put the laptop in my bag as I sat beside my daughter's ICU bed, it fried the motherboard. No really. That was the /purpose/ of the bios "upgrade." Warranty after they remotely fried my machine? No, because it worked as designed. So yeah going bayesian given none of us can be 100% sure about anything, my prior on Dell is they suck donkeys' gonads on all levels. Competence, honesty, service, everything - until evidence shows otherwise and I've just told you why. Why is your prior that Dell are competent even when evidence suggests otherwise? | | |
| ▲ | kaashif 17 hours ago | parent | next [-] | | Can you give more information about what the stated purpose of the upgrade was? Surely they didn't actually tell you they wanted to brick your laptop remotely? | | |
| ▲ | zeven7 14 hours ago | parent | next [-] | | I assumed it was a fast boot thing. I hate it and have been fighting it for years. I can’t believe a company of the size insists on being so anti consumer. | |
| ▲ | thaumasiotes 15 hours ago | parent | prev [-] | | I'm speculating, but recently there's been a trend to prevent laptops from sleeping by disabling the existing functionality, because... companies hate customers? This causes major problems for laptops that are ever located inside bags. | | |
| ▲ | SSLy 13 hours ago | parent | next [-] | | > companies hate customers? clueless VPs want their products to behave like Apple's, but then beancounters won't sign a budget for iteration. MVP is shipped, turns out it's always buggy. | | |
| ▲ | thaumasiotes 11 hours ago | parent [-] | | What, Apple advertises sleep and then decides "you know what, even though it works fine, and is heavily used, and is essential for enabling laptops to be portable, which is the only advantage they have over desktops - we should just stop that from working"? Or is this more of a "Who's going to notice that the functionality they use every day has been disabled?" kind of idea? The only feature here is that you're no longer allowed to do something that was an important part of how the computer worked. That's the headline of the press release, and the goal of the software. |
| |
| ▲ | harry8 14 hours ago | parent | prev [-] | | Yep. Best to do that without telling your customers that long established behaviour would kill it. Dell. |
|
| |
| ▲ | thaumasiotes 15 hours ago | parent | prev | next [-] | | > Warranty after they remotely fried my machine? No, because it worked as designed. You can still sue them for frying your machine; it's not a legitimate intent for them to have. | |
| ▲ | likeabatterycar 18 hours ago | parent | prev [-] | | Why would you voluntarily use an OS that installs BIOS updates (broken or not) without consent? It's egregious even if the timing wasn't inconvenient. | | |
| ▲ | harry8 14 hours ago | parent [-] | | Sure wouldn’t ever again! At the time i was probably a little preoccupied and just clicked yes, safe in the delusion that no distro nor any hardware vendor would ever push a laptop bricking bios update. Sibling got it. Feel disabled sleep so if you didn’t shut it down and wait before closing the lid and putting in your bag it fried the mobo. Yeah. If you treated your laptop like a laptop the way you’d used it hundreds of times that was now like tossing it in the dishwasher. Unbelievable. Yet it happened. I hate Dell. I’m not letting go of that anger. Ubuntu, meh. Pretty poor but still not Dell. |
|
|
|
| |
| ▲ | zdragnar 19 hours ago | parent | prev [-] | | Surely for something so important, they'd verify it rather than let it sit around for the public to point out. At a minimum this is definitely a process failure due to incompetence. | | |
| ▲ | likeabatterycar 19 hours ago | parent [-] | | Maybe it was file system corruption, who knows? "Dell is posting unsigned update executables" is a loaded statement that implies this was intentional. Dell has been signing updates since before most infosec engineers were in middle school ogling cheerleaders. It's alarmist and highly unlikely this was intentional. | | |
| ▲ | dumpsterdiver 19 hours ago | parent | next [-] | | That still wouldn’t excuse that someone clearly didn’t verify their work. No matter what the reason, ownership of this task was released before it should have been. | | |
| ▲ | likeabatterycar 19 hours ago | parent [-] | | You have no evidence of that not happening. It could be corruption after the fact or failure during replication. The armchair wolves already smell blood and are assigning blame before a postmortem has even begun. | | |
| ▲ | muppetman 19 hours ago | parent [-] | | You're right.
A headline of "Dell's website is serving up unsigned updates" would be correct. But to garner more clicks and hype that's not how they've worded their tweet, instead it's worded to make it sound like Dell are doing this on purpose. | | |
| ▲ | preciousoo 18 hours ago | parent [-] | | The original “tweet” didn’t attempt to infer reason or assign blame though. All it did is state two facts, according to their system |
|
|
| |
| ▲ | ddtaylor 19 hours ago | parent | prev [-] | | Dell is a large player in storage integrity for servers for exactly this purpose. |
|
|
|
