Why I don't care that Dell installs Rogue Certificates On Laptops

In recent weeks Dell has been found to have installed rogue certificates on laptops they sell. Not once, but twice. The security ramifications of this are grim. Such a laptop can have its SSL-encrypted connections sniffed quite easily. Dell has responded by providing uninstall instructions and an application that will remove the cert. They've apologized and that's fine... everyone makes mistakes, don't let it happen again. You can read about the initial problem in "Dell Accused of Installing 'Superfish-Like' Rogue Certificates On Laptops" and the re-occurance in "Second Root Cert-Private Key Pair Found On Dell Computer"

And here is why I don't care.

Anyone running the vendor-supplied OS with a machine they purchase is...

Wait. I'm trying to find the right word.

"Foolish?" No. That's too judgemental.

"Lazy?" No. That doesn't make the point I want to make.

"Unprofessional? Amateurish?" Again... not exactly my point.

"Negligent"?

Ah! Yes, that's the word I'm looking for.

Basic operational hygiene dictates that we start each new machine in a "known good state". It makes support easier; otherwise you are creating a self-inflicted support nightmare. It makes upgrades and patches less brittle; otherwise you are creating a situation where upgrades are more likely to fail because the number of variations that need to be tested is unknowable.

Entropy will eventually wreck the software and configuration of a machine and require it to be fixed. If you don't start the machine in a known good state, you are fighting entropy with one hand tied behind your back. You are giving entropy a head start.

Every new machine should be wiped and reloaded with your organization's "standard build". Having a "standard build" is one of the foundational pieces of infrastructure that your organization is responsible for. It is so fundamental that not having this kind of infrastructure is negligent.

I am very particular and careful about using the word negligent. We, as an industry, should have a bar under which falls the expected and fundamental practices of a professional, responsible, IT organization. Not doing those things is unprofessional and therefore negligent.

Having a "standard build" and a fully automated installation process that is used on all new machines is basic operational hygiene for a enterprise desktop/laptop organization. I call it operational hygiene because it is the "brushing your teeth" of fleet management. The "eeeuuuu!" you feel when you see someone that never brushes their teeth should be the same feeling you get when you experience an organization that doesn't have a fully automated wipe-and-reinstall process for desktops and laptops. (To complete this analogy, backups are the "flossing" part. Everyone claims they do it but most people don't.)

So, why do I not care about Dell's rogue certs? Because this blog is for professional system administrators and it would be unprofessional to not wipe-and-reinstall all new machines. Your standard installation should be based on the OS vendor's installation disks, not Dell's. In fact, if you disagree with the certs that your OS vendor includes you can use this process to control which certs make it onto machines. I bet that the NSA removes certain certs. I'm sure that security conscious companies like Google and Facebook watches the list of installed certs very carefully and evaluates each one.

You might ask, "What about small companies who buys a PC and use it as-is?" If you are too small to justify an automated OS install system, you probably buy machines rarely enough that you can do the process manually. Even companies with just 1-2 employees generally have a "PC guy/gal" that visits occasionally to do their IT. They should establish a standard built that they install on all customers, even the small ones.

You might ask, "What about my parents who don't have an IT department?" This blog isn't about consumer computing. That's not a cop-out. That's the truth. I am gravely concerned about this issue for consumers. They're in a really shitty situation and it is only going to get worse. I think this is why people are moving to iPads so rapidly. Solving this problem for the general Windows consumer is an unsolved problem.

The 3rd edition of The Practice of System and Network Administration (due out in Nov 2016) will have a greatly expanded section about workstation/laptop management. We call it "Workstation Fleet Management". We cover everything from workstation architecture, policy, delivery, and we even have a chapter on new employee onboarding.

You can read drafts of these chapters if you have a SafariBooksOnline (SBO) account: Chapter 4-11 is an 8-chapter sequence that covers everything you need to know about the subject

We'd love your feedback about these chapters. You can submit feedback directly via SBO.

No TrackBacks

TrackBack URL: http://everythingsysadmin.com/cgi-bin/mt-tb.cgi/1969

8 Comments | Leave a comment

As consumer builds go, I find the Microsoft Signature builds to be the least offensive. If you have to buy a PC, get one from the Microsoft Store with a signature build. If you value your sanity, go to an Apple Store and get a Mac.

I agree that any of the major manufacturer builds, whether Dell, HP, Lenovo, Acer, ASUS or whomever are terrible. They demand a secondary monetization stream from the laptop and will load it up with mind numbing streams of crapware. You can help yourself a little with tools like PC Decrapifier, but a bare metal build from OS vendor install media is really the way to go.

"Anyone running the vendor-supplied OS with a machine they purchase is...

Wait. I'm trying to find the right word.

"Foolish?" No. That's too judgemental.

"Lazy?" No. That doesn't make the point I want to make.

"Unprofessional? Amateurish?" Again... not exactly my point.

"Negligent"?

Ah! Yes, that's the word I'm looking for."

Yes, sure that applies if its a machine used in an enterprise environment but if its, say for instance, a non-techie freelancer that buys one of their machines to use for work, they are exposed because of Dells negligence and incompetence.

Probably when they are buying one of their devices when they trust their brand.

Its going to be hugely detrimental to their brand value if any non-enterprise user is 'hacked'.

I am wondering with the changes in the Windows 10 set unless you have an enterprise contract if that having a "windows enterprise as a service" where freelancers buy into a co-op and get access to the "clean" version of the OS they need might be a workable model. [I am a Linux admin who has found trying to learn about Windows as easy as most Windows people learn Linux... horrible.. so trying to administer my freelance windows system has been a large amount of cargo cult that if I could offset to a reputable organization.. I would probably do so. The problem is proving something is reputable these days :)]

I don't agree. It's a concern because not everyone has the ability to reinstall Windows, and not every Dell is cared for by a systems administrator. Bad behavior should be punished, not ignored.

Wow Jobu, this is really messed up. Your distortion of responsibility is magnificent. The tech industry is a minefield of worthless liabilities and here you are lumping that responsibility onto the user?

The entire industry is spineless. A pleasure to see someone verbalise it in this manor.

There's also the situation like Lenovo, where the BIOS has the capability of screwing you even if you do fresh install.

A bit rude to say it like that but it's the truth, never trust a pre-installed OS. They make money by loading crapware onto it. It's a shitty business.

Generally I agree with you. However, I do care about what Dell does since this is another precedent of a major manufacturer delivering a product that is severely compromised. A compromised system can quickly become a risk to other, so it doesn't only affect the owners.

Maybe we should do away with pre-installed operating systems altogether, it also helps people like me avoid the "Windows Tax"...

Leave a comment

 
  • Don't Miss Out - Register Today