If I were a black-hat hacker, I'd immediately go to the nearest big city airport and sit outside the international first class lounges and eavesdrop on everyone's encrypted communications. I suggest "international first class", because if they can afford $10,000 for a ticket, they probably have something juicy on their computer worth hacking.
I point this out in order to describe the severity of Dell's mistake. It's not a simple bug that needs to be fixed, it's a drop-everything and panic sort of bug. Dell needs to panic. Dell's corporate customers need to panic.
Note that Dell's spinning of this issue has started, saying that they aren't like Lenovo, because they didn't install bloatware like Superfish. This doesn't matter. The problem with Superfish wasn't the software, but the private key. In this respect, Dell's error is exactly as bad as the Superfish error.
My 4+ year old XPS15z has the DSDTestProvider cert, with private key. I don't know exactly where it came from, but my guess is DSD = Dell System Detect which I did recently update.
ReplyDeleteThis is looking broader than was initially reported.
I wondered if this was going to be a way that the eDellRoot certificate could be introduced again later.
ReplyDeleteGranted i think most large companies re-image oem hardware anyway.
ReplyDelete