OEM: Let's differentiate our otherwise
commodity hw product!
OEM: I know, let's add value with bundled
software the customer can't uninstall!
Here's an idea:
OEM: Let's differentiate our otherwise
commodity hw product!
OEM: Let's add NO bundled software.
I remember one particular phone that had four user-configurable hardware buttons, but Verizon had locked them down so that they all opened the Verizon ringtone store.
The iPhone was a breath of fresh air if only for its software.
"There are apps from Flipboard and Spotify as well as a unremovable version of Facebook. McAfee Anti-virus is baked into the operating system as "security," and the Samsung Gallery app wants to share my location with Foursquare. The storage management settings, which is just a simple file-cleanup app, is "Powered by Qihoo 360," a Chinese security company. A caller-ID feature built into the phone app is provided by a company called "Hiya."
Once you run through setup and connect to Wi-Fi, the phone spawns an undismissable "Secure Wi-Fi" notification, which, it turns out, is an ad for McAfee VPN subscription service. I tried blocking the notification—it's not blockable—but it turns out you can open the advertisement, carefully consider subscribing to McAfee VPN, say "No," and then it will go away. Cool."
https://arstechnica.com/gadgets/2019/04/galaxy-s10-review-fo...
I had a similar issue with a phone I bought around 2005. I wanted an unlocked device, and by EU law, a carrier can't refuse to sell you that. So just pop into any store, right?
The device was unlocked but carrier branded, so the useless menu locked in place front-and-center was doubly useless because none of the carrier services worked.
I made sure to never get any phone through any carrier after that, and now that Android phones are having the same problem I'm so glad I did. Mine have always been crap free.
Funny, apple did this to iPod touch
Please. I use a 4k TV as my computer monitor. It's works fairly well for that because I researched it and found a good fit, but I use a remote to start it every time, and it takes 15-20 seconds before it's ready to receive input. That's a long time to be sitting in front of your computer waiting, especially when it happens 3-10 times a day.
OEM: Let's make more money.
OEM: We can sell out our users while claiming we aren't.EDS - Remember that big huge company H.Ross Perot Ran? - We TRIED to buy PCs from hardware vendors without Windows. They refused due to how Bill locked them into contracts. If it was to run Windows, then Windows was shipped with every single hardware sale. On the bill of lading.
Government doesn't pay for stuff they don't use. Didn't want Windows if they were to run UNIX (Santa Cruz Operations XENIX System 5, to be precise). Wonder why some people at SCO went crazy and snorted their futures? Blame Bill.
OEM Sales: we have companies lining up to bundle software on our computers and they are all willing to big money to be bundled, and even more money to be bundled and not be removable.
OEM: yay, we can be profitable!!!!!
Not one person really thinks the bundled software is of any value, other than the cash the bundling fee generates. If it was illegal for OEM’s to bundle software you’d see even more contraction in the PC OEM market.
I take issue with that. Apx. one year ago it was using excessive CPU on my Dell. I tried to uninstall, but the uninstaller crashed.
I turned to dell.com and then google. Turned out that throusands of people had the same problem, but no solution from Dell.
This is a sorry PoS application. In my experience, OEMs like Dell, HP create horrible software and drivers.
https://www.google.com/search?q=can%27t+uninstall+dell+suppo...
Is a user expecting to be able to trust their manufacturer an unreasonable?
The day that hardware vendors get over the idea that they need to "add value" to software that they resell will be a very good day for everyone.
OEM: Profit
It's possible to have pre-loaded software without ruining everything.
Besides, an end user will never have enough permission to download and install a driver - because if they did they’d be in a position to defeat the DLP, VPN posturing, shitty antivirus and disk encryption tools that have to be installed to satisfy the four nearly identical checklists produced by at least as many independent IT security organizations who most likely hired the same auditor multiple times.
Small to mid sized businesses would probably be all over this though.
- updates served via HTTP through the browser only
- as a binary (exe)
- from a domain other than dell.com (delldisplaymanager.com)
- signed by a 3rd party (En Tech Taiwan)
- and nagging about updates every reboot
(you can get an outdated version via dell.com, but it will want to update through said channel immediately)
(And I bet this one gets pinged for updates, having the full url to the exe in the update check: https://www.entechtaiwan.com/updates/public/ddm.inf )
I have an auto hotkey script triggering the DDM, but it's not working well.
One could easily fuck usage of a library. Common sense is required.
Attempting to ban "http" as a method of ensuring "https", is obviously less ideal than ensuring "https"... by checking for "https".
It also made it clear that trying to use a URL to restrict stuff is a bad idea. Like the dell updater could only load signed requests which means an attacker would have to get dell's private key for signing.
I wouldn't characterize it as "pure laziness" - more a questionable feature
I wouldn’t be surprised if a lot of the code was shared between the previous incarnation that I found an issue with and this pre-installed version.
first CVE: https://nvd.nist.gov/vuln/detail/CVE-2019-3718 (from DSA)
second CVE: https://nvd.nist.gov/vuln/detail/CVE-2019-3719 (also from DSA, this is the exploit described in this submission)
Aside from anything else, it would have been terrible publicity for Dell if an exploit for this vulnerability was used in a large malware campaign - I just don't get why they would wait so long to fix it.
I've never let that run. Much easier to just flip the laptop over, enter the six digit service code, and see if there are any new drivers/BIOS updates available for my laptop.
I clean-installed Win10 recently. There was no driver installation I had to do - everything works great, and there are no unidentified devices in Device Manager. Say what you will about Windows 10, but that part is really cool. Save for video cards, the pack-in drivers are often better and less hassle. Plus they auto update.
The biggest issue is when I have a computer with both integrated graphics, and a dedicated graphics card. I used to disable integrated graphics in the BIOS, but this causes a litany of problems now. Even with integrated disabled, Windows 10 will still try and install the drivers for it, and every time it does this, they seem to take precedence over my dedicated drivers. I ended up giving up and just enabling integrated and leaving the drivers there.
Also (having spent the day reinstalling a new Dell 2-in-1 with a clean Windows install) a few of the devices were quite happy (if generic) in Device Manager but didn't work quite right until I manually installed the drivers off the Dell website. (The ones that spring to mind were the wifi, audio drivers and the webcam, but there might have been others.)
cortana just yells at you until you can turn it off, you have to deselect every invasive feature and then get to some windows sign into your ms account bullshit
just.... why... since when did installing operating systems turn into avoiding landmines
linux and mac install pretty quick, but windows? fuck off
bool flag2 = file.Location.ToLower().StartsWith("http://");
if (flag2)
{
file.Location = file.Location.Replace("http://", "https://");
}
Seeing how close Dell (both the company and the man) are to the US government, surely this is a backdoor by the Americans?
Dell fucked up and should be held accountable. Being in America they will more than likely face legal action of some sort over this. I would hope so anyway.
Which America are talking about here? The one that let Equifax off scott free for leaking the entire countries personal financial info with security that resembles geocities?
Dell won't get punished for shit.
What the US takes issue with is foreign governments having that kind of power.
Abusing Windows' ability to obtain HW-drivers though UEFI (something which can be used for good) to bundle shit-ware is just absolutely rotten.
Holy cow. Would you have a link on this?
(sarcasm)
[i thought it uninstalled itself after a few months]
The protections for pre-installed apps help to make sure nothing else tampers with them, e.g. injecting some malware, but I'm sure you can remove those protections and reclaim the 5 MB if you really wanted to.
https://developer.apple.com/library/archive/documentation/Se...
(apart from the download whitelist)
"Dell bug bounty program" and the like don't turn up obvious results to me.
A software opens a port to allow a remote website trigger "download and execute" actions on a URL pointing to an .exe file.
The security check they have is that they check the domain is dell.com and that the string starts with "https://". If it starts with http:// it is replaced by the https version. In theory I could consider this risky but safe.
The mistake is that they do not force a URL that starts with something else to fail. The attacker could bypass the check by providing " http://fakedns.dell.com/haxorz.exe" (with a space at the beginning) and it passed the check.
This is not the first flaw of this style I am seeing. I don't think a teacher ever explicitly told it to me but I always assumed that relying on DNS for authentication was a dangerous thing to do and that URLs were doing too many things behind the scenes to be trustworthy without being extremely picky.
Maybe it all changed with https, but trusting the execution of an exe without at least checking the a crypto signature lights some red flags in my brain.
- XSS on one of Dell's sites.
- Find a Subdomain Takeover vulnerability on a Dell site.
- Make the request from a local program.
- DNS Hijack the victim.
This is the trivial one. You can just set up a free Wi-Fi access point next to a restaurant that people from company-you-want-to-hack like to visit.
The computer arrived in a box that had 2 handle sized holes in it and I could see the computer directly exposed from the outside without the box being open. It had shipment dust and debris INSIDE THE BOX. It's the saddest, cheapest, most sorry ass excuse for a shipment I've ever seen. I took pictures, I couldn't believe it.
Then I booted it up and was inundated with Dell pre-installed software. Wiped the thing clean, got a Win10 ISO directly from MS and called it a day. This will be the last Dell I ever buy. Lesson learned.
Has anyone disabled IME by putting it into HAP mode or another mode?
Does it work in a similar way?
https://www.laptopmag.com/articles/microsoft-signature-editi...
But, like so many other articles about security vulnerabilities, there seems to be a general attitude among most people (including many IT shops) that "it's an isolated incident", and "the experts will fix it...".
"It's an isolated incident", and "The experts will fix it...".
They said the same thing about Spectre, Meltdown, Rowhammer attacks, what have you.
"It's an isolated incident", and "The experts will fix it...".
Well, if you read HN long enough, you'd know that there's too much of this on too regular a basis to continue to espouse those views.
I'm going to go for broke here.
I'm going to put on my conspiracy "what if" tin-foil hat, and ask two questions.
The first is related to Virus-Checking and Security Software -- like Norton, McAfee, etc. how do we know that any of it doesn't contain remote code execution (aka major security) vulnerabilities?
You see, if I were the bad guys, that's where I'd put it.
Also, let's say you have Nation States. Could you see one of these guys "persuading, for the good of their country" one or more of their same-nationality corporations to put such vulnerabilities into their "Security" software?
In other words, maybe you have a Chinese producer of anti-virus/security software, and maybe it has little "surprises" for non-Chinese Citizens.
Maybe you have an American producer of anti-virus/security software, and it too has little "surprises" for non-American Citizens.
You see? Nation A thinks that it's permissible and OK for it to compromise Nation B's "Security" software. And Nation B thinks the same thing, but in reverse.
Even if Nation States are removed from the equation, you still have the Virus Checker/Security software company themselves. How do you know that random employees at that company haven't tainted that software in some way?
In other words, "Who guards the guardians?"
Which is my second question.
It's an ancient philosophical question.
"Who guards the guardians?"
We The People - do not seem to be doing such a good job these days...
All I know is that you might be seeing a whole lot more "isolated incidents" that "the experts will have to fix" in the future, unless We The People - step up to the plate...
But I also think that even if they don't, it also seems very possible that vulnerabilities are quite common as mistakes. Just due to the realities of security.
In my opinion security is much more difficult than people realize.
For example in this case there seems to be a majority opinion something along the lines of "What an idiot! _I_ would never make that mistake!". It's much easier to say that in hindsight than it is to really execute secure code that no one can defeat. The response might be "well, no one broke into any of _my_ systems so far" and I would say .. how do you know they didn't? And also, maybe no one bothered to try to exploit you because you are not a high value target. Or they are just busy and will get to trying to penetrate you next week.
I think this is due to the complexity of software and IT rather than general negligence.