>Bad news: Dell is posting unsigned update executables to their website labeled “critical” which then fail to install due to the good news
If I were a hacker with no access to the signing keys, I'd probably label my updates as critical too, so you would try to find a way around the update signing.
So basically you're targeting a tiny fraction of power users who are capable and motivated to find and exploit a vulnerability on their own machine which bypasses update signing.
I think you'll find more bang for your malicious buck elsewhere.
So wouldn't this logic also apply to updates that are signed with an invalid signature? And at that point, it sounds like you're saying that once something is signed and distributed, no one will ever try to compromise that and you're free and clear for the rest of time, which seems...dubious.
> This firmware update has been periodically failing since I got this laptop from work several weeks ago, and only today did I put in the effort to track down where it was hiding the logs with the real reason
If they haven't pulled the "corrupt" firmware after it's been up and broken for weeks, I don't think anyone needs to rescind the "incompetent" label.
I paid Dell a bunch of money for a laptop. They pushed a bios update, that ubuntu kindly relayed to me that meant when I closed the lid and put the laptop in my bag as I sat beside my daughter's ICU bed, it fried the motherboard. No really. That was the /purpose/ of the bios "upgrade." Warranty after they remotely fried my machine? No, because it worked as designed.
So yeah going bayesian given none of us can be 100% sure about anything, my prior on Dell is they suck donkeys' gonads on all levels. Competence, honesty, service, everything - until evidence shows otherwise and I've just told you why.
Why is your prior that Dell are competent even when evidence suggests otherwise?
Can you give more information about what the stated purpose of the upgrade was? Surely they didn't actually tell you they wanted to brick your laptop remotely?
"Dell is posting unsigned update executables" is a loaded statement that implies this was intentional. Dell has been signing updates since before most infosec engineers were in middle school ogling cheerleaders. It's alarmist and highly unlikely this was intentional.
That still wouldn’t excuse that someone clearly didn’t verify their work. No matter what the reason, ownership of this task was released before it should have been.
You're right.
A headline of "Dell's website is serving up unsigned updates" would be correct. But to garner more clicks and hype that's not how they've worded their tweet, instead it's worded to make it sound like Dell are doing this on purpose.
>Bad news: Dell is posting unsigned update executables to their website labeled “critical” which then fail to install due to the good news
If I were a hacker with no access to the signing keys, I'd probably label my updates as critical too, so you would try to find a way around the update signing.
So basically you're targeting a tiny fraction of power users who are capable and motivated to find and exploit a vulnerability on their own machine which bypasses update signing.
I think you'll find more bang for your malicious buck elsewhere.
So wouldn't this logic also apply to updates that are signed with an invalid signature? And at that point, it sounds like you're saying that once something is signed and distributed, no one will ever try to compromise that and you're free and clear for the rest of time, which seems...dubious.
But posting unsigned updates (if you somehow found a way to do that) would set off alarms in about 10 seconds, as we can see by this thread.
If I were a hacker in the same situation I'd keep looking for a more realistic strategy.
Does anyone seriously think that attackers won’t try every single potential avenue regardless of how “realistic” it seems?
Wow that’s almost as bad as Firefox five years ago … except this probably doesn’t compromise privacy addons that will get someone killed.
https://hacks.mozilla.org/2019/05/technical-details-on-the-r...
Or the upload to their CDN was truncated or corrupted, and the signature check worked as designed.
But let's not let an opportunity to paint Dell as some evil yet incompetent corporation slip through our fingers.
> This firmware update has been periodically failing since I got this laptop from work several weeks ago, and only today did I put in the effort to track down where it was hiding the logs with the real reason
If they haven't pulled the "corrupt" firmware after it's been up and broken for weeks, I don't think anyone needs to rescind the "incompetent" label.
The only evidence we have is a single anecdote on Mastodon sparse on details and nothing you said can be validated.
For all we know, the failure was in his employer's proxy server and the corrupt file was cached.
Let's not wait for facts though, proceed immediately to the crucifixion of Dell.
With everyone quick on the trigger to throw someone under the bus, imagine being a coworker in such a toxic environment.
Crucifixion? Really? Come on now...
I paid Dell a bunch of money for a laptop. They pushed a bios update, that ubuntu kindly relayed to me that meant when I closed the lid and put the laptop in my bag as I sat beside my daughter's ICU bed, it fried the motherboard. No really. That was the /purpose/ of the bios "upgrade." Warranty after they remotely fried my machine? No, because it worked as designed.
So yeah going bayesian given none of us can be 100% sure about anything, my prior on Dell is they suck donkeys' gonads on all levels. Competence, honesty, service, everything - until evidence shows otherwise and I've just told you why.
Why is your prior that Dell are competent even when evidence suggests otherwise?
Can you give more information about what the stated purpose of the upgrade was? Surely they didn't actually tell you they wanted to brick your laptop remotely?
Why would you voluntarily use an OS that installs BIOS updates (broken or not) without consent? It's egregious even if the timing wasn't inconvenient.
Surely for something so important, they'd verify it rather than let it sit around for the public to point out.
At a minimum this is definitely a process failure due to incompetence.
Maybe it was file system corruption, who knows?
"Dell is posting unsigned update executables" is a loaded statement that implies this was intentional. Dell has been signing updates since before most infosec engineers were in middle school ogling cheerleaders. It's alarmist and highly unlikely this was intentional.
That still wouldn’t excuse that someone clearly didn’t verify their work. No matter what the reason, ownership of this task was released before it should have been.
You have no evidence of that not happening. It could be corruption after the fact or failure during replication.
The armchair wolves already smell blood and are assigning blame before a postmortem has even begun.
You're right. A headline of "Dell's website is serving up unsigned updates" would be correct. But to garner more clicks and hype that's not how they've worded their tweet, instead it's worded to make it sound like Dell are doing this on purpose.
The original “tweet” didn’t attempt to infer reason or assign blame though. All it did is state two facts, according to their system
Dell is a large player in storage integrity for servers for exactly this purpose.